Overview
overview
10Static
static
3FоrtniteHack.rar
windows7-x64
3FоrtniteHack.rar
windows10-2004-x64
7FоrtniteH...ck.exe
windows7-x64
3FоrtniteH...ck.exe
windows10-2004-x64
10FоrtniteH...-8.dll
windows7-x64
1FоrtniteH...-8.dll
windows10-2004-x64
1FоrtniteH...16.dll
windows7-x64
1FоrtniteH...16.dll
windows10-2004-x64
1FоrtniteH...er.vdf
windows7-x64
3FоrtniteH...er.vdf
windows10-2004-x64
3FоrtniteH...ns.txt
windows7-x64
1FоrtniteH...ns.txt
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
FоrtniteHack.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FоrtniteHack.rar
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
FоrtniteHack/FоrtniteHack.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
FоrtniteHack/FоrtniteHack.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
FоrtniteHack/libnettle-8.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FоrtniteHack/libnettle-8.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
FоrtniteHack/libpng16-16.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FоrtniteHack/libpng16-16.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
FоrtniteHack/libraryfolder.vdf
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
FоrtniteHack/libraryfolder.vdf
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
FоrtniteHack/options.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
FоrtniteHack/options.txt
Resource
win10v2004-20240221-en
General
-
Target
FоrtniteHack/libraryfolder.vdf
-
Size
125B
-
MD5
8760dccce6639e32519fae960c77e4c6
-
SHA1
9b21a349868ebcb3c11764e12366d7f301cdff93
-
SHA256
44d80569fa294e24ae57f189fe5a587f51e46e3ee2360b888b44d69b516c89b4
-
SHA512
a980c5e8809b32606849e97a95b3a4b5e9e8b131cf69cd36fc60275ad7173eceaad3fc3a6fa03cc0cafbc2545076172e983c0734637ca11374f3e7f1bceadb84
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vdf rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vdf\ = "vdf_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vdf_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe 2564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2292 wrote to memory of 2608 2292 cmd.exe rundll32.exe PID 2292 wrote to memory of 2608 2292 cmd.exe rundll32.exe PID 2292 wrote to memory of 2608 2292 cmd.exe rundll32.exe PID 2608 wrote to memory of 2564 2608 rundll32.exe AcroRd32.exe PID 2608 wrote to memory of 2564 2608 rundll32.exe AcroRd32.exe PID 2608 wrote to memory of 2564 2608 rundll32.exe AcroRd32.exe PID 2608 wrote to memory of 2564 2608 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\libraryfolder.vdf1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\libraryfolder.vdf2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\libraryfolder.vdf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c10ddf500ba8690b7b33c7641c961664
SHA103a303f1b31aafd5734e10413304082d98443767
SHA256544a228e8283e9190a7c109dd662cf5c270e1f04bb87085cb1d15b8e35fd40f6
SHA5123f4358aae80d53540548cf619c4e86c65b388006d786ad1ab9c71a1b0044c31f14e5e3e8c387e4041e502b016320721f7cc82086fd415944dcccec8c66300c76