Overview

overview

10

Static

static

3

fortnite-external.exe

windows7-x64

1

fortnite-external.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fortnite-external.exe

  • Size

    392KB

  • Sample

    240921-kmze2stenq

  • MD5

    450270d6a68cf6364e98f16b917a84e6

  • SHA1

    3e89467c9cbc12a76ab77c50913ee45420e16ccc

  • SHA256

    30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d

  • SHA512

    27c7b9c03a026ba578d6c71f6805d07a702740ce21f2e738cadb7fd2d455d6b1abf620c5b147ee018494a33376ff4e907bdf8ce0fa76f7970abe6cd03da6b4b6

  • SSDEEP

    6144:whcdTWDsDiY4ElESAtEnESbkaXOahqJiSxRODbGWrZjkmn35GYrZ8RA:fdxE7xr4kmnJ

Score
10/10
discoveryexecutionpersistence

Malware Config

Targets

    • Target

      fortnite-external.exe

    • Size

      392KB

    • MD5

      450270d6a68cf6364e98f16b917a84e6

    • SHA1

      3e89467c9cbc12a76ab77c50913ee45420e16ccc

    • SHA256

      30a300329684903e2ca4a937aacbfb337ab30474aadd40e473ca544e8069c52d

    • SHA512

      27c7b9c03a026ba578d6c71f6805d07a702740ce21f2e738cadb7fd2d455d6b1abf620c5b147ee018494a33376ff4e907bdf8ce0fa76f7970abe6cd03da6b4b6

    • SSDEEP

      6144:whcdTWDsDiY4ElESAtEnESbkaXOahqJiSxRODbGWrZjkmn35GYrZ8RA:fdxE7xr4kmnJ

    Score
    10/10
    discoveryexecutionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks