Analysis
-
max time kernel
593s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 20:39
Static task
static1
Behavioral task
behavioral1
Sample
FоrtniteHack/FоrtniteHack/FоrtniteHack.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
FоrtniteHack/FоrtniteHack/libnettle-8.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FоrtniteHack/FоrtniteHack/libpng16-16.dll
Resource
win10v2004-20240412-en
General
-
Target
FоrtniteHack/FоrtniteHack/FоrtniteHack.exe
-
Size
2.4MB
-
MD5
98d67174a64d76751fe7f5f9b59acd0f
-
SHA1
8ff6b05c0d393f398d8bf7f217b61ef4559e5051
-
SHA256
2350036f4d3ada372336a56429281f96d7deefc637246ede1668ef6a33f7b4b1
-
SHA512
55cf83aeb444d8a084987924fd808ca96b94aca405d261fb3702c78387298c5604f8fb8391affe6901a3875581c487ea46ab25ce589862b7cd7b8129e26867b9
-
SSDEEP
49152:2uWXVMDdRolOyNTE91NaLnq6x8DGLyGC:hiSDdRoUYE910LJR
Malware Config
Extracted
lumma
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
FоrtniteHack.exepid process 4888 FоrtniteHack.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FоrtniteHack.exedescription pid process target process PID 4888 set thread context of 2488 4888 FоrtniteHack.exe vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FоrtniteHack.exedescription pid process target process PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe PID 4888 wrote to memory of 2488 4888 FоrtniteHack.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\FоrtniteHack\FоrtniteHack.exe"C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\FоrtniteHack\FоrtniteHack.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
401KB
MD5f33827e096a4f5b285a1302c1d9b77a7
SHA1c60f62deb06357f4441a70446568d2917a0d6114
SHA256fad067e2cd5c4db0996fa8c07d39b7f82b45c6188d9eb0c7a4440f68a62242c0
SHA5128bb313ab84f0c0f4839561b2fcfac1280dd0ceefb64af313afcf71d4520a53b32d7bcc284b35c21be75595bb12ef42f988191196fc85dec81b6a02caac02380d
-
memory/2488-8-0x0000000001100000-0x000000000114F000-memory.dmpFilesize
316KB
-
memory/2488-14-0x0000000001100000-0x000000000114F000-memory.dmpFilesize
316KB
-
memory/2488-17-0x0000000001100000-0x000000000114F000-memory.dmpFilesize
316KB
-
memory/4888-0-0x0000000000E40000-0x00000000011DC000-memory.dmpFilesize
3.6MB
-
memory/4888-1-0x00000000752D0000-0x0000000075A80000-memory.dmpFilesize
7.7MB
-
memory/4888-2-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/4888-12-0x00000000752D0000-0x0000000075A80000-memory.dmpFilesize
7.7MB