e531f1e904c4a4093a7cc9a960704e428d4bd1f6dd000aa06ec5aabdfc5f4cb7

Analysis

max time kernel
120s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-08-2023 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortect.exe
Size

714KB
MD5

01712de1e76332696b79c25ee32c9704
SHA1

eaccbc242d11208d882e5e17b1e3c02adb78af33
SHA256

e531f1e904c4a4093a7cc9a960704e428d4bd1f6dd000aa06ec5aabdfc5f4cb7
SHA512

910d60cd5a90b93955da2186a9b23bf862b3aa8e2fc385138a89ab6ec9d0af91e16eb55b158dc22663f2e3f86277fc6e3e237f9a2a0cbf9c24d6fa562f4a60fb
SSDEEP

12288:iYhqRe1sCFnuulCRaIqZPPY1tXHFVX8JPMTz1:iYhqw1skn7lCsvQ11ldJl

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fortect.ini	Fortect.exe

Loads dropped DLL 12 IoCs

pid	Process
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe
2468	Fortect.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	Fortect.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe
Token: 33	2812	WMIC.exe
Token: 34	2812	WMIC.exe
Token: 35	2812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe
Token: 33	2812	WMIC.exe
Token: 34	2812	WMIC.exe
Token: 35	2812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2824	WMIC.exe
Token: SeSecurityPrivilege	2824	WMIC.exe
Token: SeTakeOwnershipPrivilege	2824	WMIC.exe
Token: SeLoadDriverPrivilege	2824	WMIC.exe
Token: SeSystemProfilePrivilege	2824	WMIC.exe
Token: SeSystemtimePrivilege	2824	WMIC.exe
Token: SeProfSingleProcessPrivilege	2824	WMIC.exe
Token: SeIncBasePriorityPrivilege	2824	WMIC.exe
Token: SeCreatePagefilePrivilege	2824	WMIC.exe
Token: SeBackupPrivilege	2824	WMIC.exe
Token: SeRestorePrivilege	2824	WMIC.exe
Token: SeShutdownPrivilege	2824	WMIC.exe
Token: SeDebugPrivilege	2824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2824	WMIC.exe
Token: SeRemoteShutdownPrivilege	2824	WMIC.exe
Token: SeUndockPrivilege	2824	WMIC.exe
Token: SeManageVolumePrivilege	2824	WMIC.exe
Token: 33	2824	WMIC.exe
Token: 34	2824	WMIC.exe
Token: 35	2824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2824	WMIC.exe
Token: SeSecurityPrivilege	2824	WMIC.exe
Token: SeTakeOwnershipPrivilege	2824	WMIC.exe
Token: SeLoadDriverPrivilege	2824	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2520	2468	Fortect.exe	28
PID 2468 wrote to memory of 2520	2468	Fortect.exe	28
PID 2468 wrote to memory of 2520	2468	Fortect.exe	28
PID 2468 wrote to memory of 2520	2468	Fortect.exe	28
PID 2520 wrote to memory of 2812	2520	cmd.exe	30
PID 2520 wrote to memory of 2812	2520	cmd.exe	30
PID 2520 wrote to memory of 2812	2520	cmd.exe	30
PID 2520 wrote to memory of 2812	2520	cmd.exe	30
PID 2468 wrote to memory of 2320	2468	Fortect.exe	32
PID 2468 wrote to memory of 2320	2468	Fortect.exe	32
PID 2468 wrote to memory of 2320	2468	Fortect.exe	32
PID 2468 wrote to memory of 2320	2468	Fortect.exe	32
PID 2320 wrote to memory of 2824	2320	cmd.exe	34
PID 2320 wrote to memory of 2824	2320	cmd.exe	34
PID 2320 wrote to memory of 2824	2320	cmd.exe	34
PID 2320 wrote to memory of 2824	2320	cmd.exe	34
PID 2468 wrote to memory of 2656	2468	Fortect.exe	35
PID 2468 wrote to memory of 2656	2468	Fortect.exe	35
PID 2468 wrote to memory of 2656	2468	Fortect.exe	35
PID 2468 wrote to memory of 2656	2468	Fortect.exe	35
PID 2656 wrote to memory of 2728	2656	cmd.exe	37
PID 2656 wrote to memory of 2728	2656	cmd.exe	37
PID 2656 wrote to memory of 2728	2656	cmd.exe	37
PID 2656 wrote to memory of 2728	2656	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\Fortect.exe
"C:\Users\Admin\AppData\Local\Temp\Fortect.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe" path Win32_BIOS get SerialNumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\wmic.exe path Win32_BIOS get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe" path Win32_DiskDrive get SerialNumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\wmic.exe path Win32_DiskDrive get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe" path Win32_ComputerSystemProduct get UUID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystemProduct get UUID
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\ExecDos.dll

Filesize
27KB

MD5
f920b104c2fe5ca6fedd2b5825544ee6

SHA1
23116ab1316a135c6507a532839dd63509039046

SHA256
4cbc00b2ba0ce3052427a541d72501d45cbd93442a9a85ea249c2894df529000

SHA512
5aa8142ad29b630278377fc05a02437c640670e011d20f1d3c18f06144a0eaee92775a55a6489b0372f59143df88aa15638cc4b3a47ed309e8bf25e87f920739

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\INetC.dll

Filesize
45KB

MD5
9f3c809a6f525a8ef0c981c84113560e

SHA1
61770595387f4f6bceb8b7b4542730a865dffdbd

SHA256
4d7a2d9151e02b971f38d10ffe8937f34227ad5a2ce11e7879df094482deca72

SHA512
7ec73df64dcf2f4a394499601551b8d658ec11886709a4125c12a6116bd8864be2274d2b2cb54b3cd731ff75f7f969661c223832138c3243faea028cd71aba84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\nsProcess.dll

Filesize
25KB

MD5
92e43d9e657a2366b412475683ad7b07

SHA1
9de0cd039d79bf90a407a09b283ecff5b511bd98

SHA256
1093622ea8e01f5614f343603d8c622193eafa5b35773e5bd2c2dc0911f22a48

SHA512
591d4bb819d5b8622dcc2be75ee78c25ac84da843a5cb6270046ad427f38e97e619dc5726a3aef2d3c202990d5ddc0bf1af1e7e7436ca3b18377871616e49181

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\Banner.dll

Filesize
24KB

MD5
f26199dd8e7cc2b8746f686b8546acde

SHA1
aebc8d0265774fea38d6f3d8467e1a80ac19b28f

SHA256
140a563d234e73ffee1ee3c2c76ae03d4966f57b7e4363622c002709eb8495ce

SHA512
59fdf0173c8b58364b6edc18fa9844044101169382eb7dd981d5f5f4753d45cd164ee9a09eb72eb1511de46c6d4e6ff9317e0ba951cbecb18e31472419e71b9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\Crypto.dll

Filesize
24KB

MD5
5f8dddd0537cf9d33230c5f690c0eca0

SHA1
44cbe527b498656fd0af1c19576ec33066b8467c

SHA256
09140b70aa226ccd3c4eb0ea5db056e4774004a96b4a32eeb1e51ecd799fdaea

SHA512
0d5a4bfe5c90326b85d34aeb19a2d0ad9c5aec5892c7721177bf207fcf5c3b57ce420cbef827f18e6110ddcea72854957ddef8804fa3da772116cf74ff1b7e3a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\ExecDos.dll

Filesize
27KB

MD5
f920b104c2fe5ca6fedd2b5825544ee6

SHA1
23116ab1316a135c6507a532839dd63509039046

SHA256
4cbc00b2ba0ce3052427a541d72501d45cbd93442a9a85ea249c2894df529000

SHA512
5aa8142ad29b630278377fc05a02437c640670e011d20f1d3c18f06144a0eaee92775a55a6489b0372f59143df88aa15638cc4b3a47ed309e8bf25e87f920739

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\ExecDos.dll

Filesize
27KB

MD5
f920b104c2fe5ca6fedd2b5825544ee6

SHA1
23116ab1316a135c6507a532839dd63509039046

SHA256
4cbc00b2ba0ce3052427a541d72501d45cbd93442a9a85ea249c2894df529000

SHA512
5aa8142ad29b630278377fc05a02437c640670e011d20f1d3c18f06144a0eaee92775a55a6489b0372f59143df88aa15638cc4b3a47ed309e8bf25e87f920739

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\ExecDos.dll

Filesize
27KB

MD5
f920b104c2fe5ca6fedd2b5825544ee6

SHA1
23116ab1316a135c6507a532839dd63509039046

SHA256
4cbc00b2ba0ce3052427a541d72501d45cbd93442a9a85ea249c2894df529000

SHA512
5aa8142ad29b630278377fc05a02437c640670e011d20f1d3c18f06144a0eaee92775a55a6489b0372f59143df88aa15638cc4b3a47ed309e8bf25e87f920739

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\INetC.dll

Filesize
45KB

MD5
9f3c809a6f525a8ef0c981c84113560e

SHA1
61770595387f4f6bceb8b7b4542730a865dffdbd

SHA256
4d7a2d9151e02b971f38d10ffe8937f34227ad5a2ce11e7879df094482deca72

SHA512
7ec73df64dcf2f4a394499601551b8d658ec11886709a4125c12a6116bd8864be2274d2b2cb54b3cd731ff75f7f969661c223832138c3243faea028cd71aba84

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\INetC.dll

Filesize
45KB

MD5
9f3c809a6f525a8ef0c981c84113560e

SHA1
61770595387f4f6bceb8b7b4542730a865dffdbd

SHA256
4d7a2d9151e02b971f38d10ffe8937f34227ad5a2ce11e7879df094482deca72

SHA512
7ec73df64dcf2f4a394499601551b8d658ec11886709a4125c12a6116bd8864be2274d2b2cb54b3cd731ff75f7f969661c223832138c3243faea028cd71aba84

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\LogEx.dll

Filesize
64KB

MD5
065130bd4bc3b4d769ffb0050a5464d0

SHA1
5997b2834e691d92cb109c808d9054e3fb43d7a7

SHA256
568871b5048cf3e9a9c200c6527938fc616139353e084c43d283f96ba16b4ebb

SHA512
9324c626714191fd6d621bded56137316ca23f8e14fa0923f7652465417523cfaca29b49ddc3d67989edaa8b88227a7ef499fdce2b2bf86d67b91158ae528b91

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\System.dll

Filesize
32KB

MD5
f64b9dfc805639380a2336bf2e803523

SHA1
9c0f3c905e819d4a212b225c5a23e07a5733a3cf

SHA256
69cae8b431d364968bb4d77352718f7d862563ef3efd1d3d18da10b0c2813b2b

SHA512
8cecb2915e747f0f803f4e8a153f67267a1760b6c1821dbb6d89c3e7af47888e6bf0efe9021c45a2aaec2f7afd5fd4b7d6619f4594409c88f047569cd73cb60a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\UserInfo.dll

Filesize
24KB

MD5
921ae5351f80d55cce56054622f5add9

SHA1
081641958f39ae91fb692a6874f66a47a929ae9c

SHA256
eaeb1c53743c3540dbaaceeab03a57a0f16d43be593d87e16a5695298205ad04

SHA512
f6b4bb59703169672c5de62252f69bdb8702f4f13193df9cd632bb4d8d45aef63a25594e340b898ade3f372f47a18b995133bfbadedaf6bb9d316af7b57d89b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\nsDialogs.dll

Filesize
30KB

MD5
793c48821589c9fbf03cfa62a919df2d

SHA1
b21b4ada7f689199e28984d57e5a10bf7d3f18be

SHA256
11832e3c0dc402ef83c17b2ebf94c58e0299b95459aa8657abeac71c47d09b3b

SHA512
9208c78e513ef4d60ea21e7254f8de9cf7677e3d38f9eb8bdfb9aa8573c36c32d0190b1b3bcde918e86741469312ef56f374153fec0cc2db0571ec94abc2c81d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8E6C.tmp\nsProcess.dll

Filesize
25KB

MD5
92e43d9e657a2366b412475683ad7b07

SHA1
9de0cd039d79bf90a407a09b283ecff5b511bd98

SHA256
1093622ea8e01f5614f343603d8c622193eafa5b35773e5bd2c2dc0911f22a48

SHA512
591d4bb819d5b8622dcc2be75ee78c25ac84da843a5cb6270046ad427f38e97e619dc5726a3aef2d3c202990d5ddc0bf1af1e7e7436ca3b18377871616e49181

Download Submit