Analysis
-
max time kernel
91s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FortniteFPS.exe
Resource
win7-20240220-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
FortniteFPS.exe
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
FortniteFPS.exe
-
Size
444KB
-
MD5
ed8f9d380212722ab220453cf5c64524
-
SHA1
e7cf9a672de8766bb9db767f4b3aaf3a7a0f6b10
-
SHA256
fda3dd5344e004dc209fe24b2e383fbef569e11dc14f0d02c2051e8a69c80427
-
SHA512
137a381f40c6db23580350322ddbc2930504dac23b693611ff975efa042fe4ba24587580339c27664eae0ae3c63278dc00e11aa82db6b9acceb0dd806f0c37c8
-
SSDEEP
12288:khpdFOiCa+pp6DkqebgShtFRvKAOjzEcaY6RqTWmHH:kSa+E9SzFRy7jzEcB6UK
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 3296 created 2648 3296 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FortniteFPS.exedescription pid process target process PID 436 set thread context of 3296 436 FortniteFPS.exe RegAsm.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3928 436 WerFault.exe FortniteFPS.exe 2352 3296 WerFault.exe RegAsm.exe 2036 3296 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 3296 RegAsm.exe 3296 RegAsm.exe 4400 dialer.exe 4400 dialer.exe 4400 dialer.exe 4400 dialer.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
FortniteFPS.exeRegAsm.exedescription pid process target process PID 436 wrote to memory of 2420 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 2420 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 2420 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 436 wrote to memory of 3296 436 FortniteFPS.exe RegAsm.exe PID 3296 wrote to memory of 4400 3296 RegAsm.exe dialer.exe PID 3296 wrote to memory of 4400 3296 RegAsm.exe dialer.exe PID 3296 wrote to memory of 4400 3296 RegAsm.exe dialer.exe PID 3296 wrote to memory of 4400 3296 RegAsm.exe dialer.exe PID 3296 wrote to memory of 4400 3296 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\FortniteFPS.exe"C:\Users\Admin\AppData\Local\Temp\FortniteFPS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 6003⤵
- Program crash
PID:2352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 5963⤵
- Program crash
PID:2036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8762⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 436 -ip 4361⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3296 -ip 32961⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3296 -ip 32961⤵PID:216