Malware Analysis Report

2024-10-23 20:57

Sample ID 241015-y9al4azbpj
Target FortniteChecker.exe
SHA256 d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930
Tags
vanillarat discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

Threat Level: Known bad

The file FortniteChecker.exe was found to be: Known bad.

Malicious Activity Summary

vanillarat discovery persistence rat

VanillaRat

Vanilla Rat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 20:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 20:28

Reported

2024-10-15 20:31

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000f5043c0f3b0134e721074904907ba7180113dd62477eac784d34a7fa9d019582000000000e80000000020000200000004f9e3f244aae1bbf310524d15ba8265f34d97a2141581b9d3dffb0d1f732325f20000000022cdbcab3acb4f44b4f9e8b382915aadf106f6a6345bcc31caff19195c7a165400000003d7f1c7828afcae025d49e97908a12d6596e59a55c4986117c7fe0e1456865086b6a2e85e60eca94ba112557e877467db9ca24a93db02af3d8fc7976f095ee39 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000a375e80b6f1943e72fcffafcd29f7d5741898ce04c3e8ed5d4ff191719d6872c000000000e8000000002000020000000365df8c9ef02fb449b9b7ec5a667e3ba2f67f0b07dc5ee7af5a49648459d1ab99000000098fd8c4d574b17e2e72212de9b771f5f77f93aeae24d218dd144c0d63afc3fe3c48ea45bbd2be193a4835b86d7f92e9ce88d2cccd8ac5914c3a34095c0f3e5b1f1f91de6d1857299029752dcb1852acb6484dee2881f7ad4166a5a94cdc30498871ccd9815b2329a3df16d8165143fff78212905d747047d21b6467d154cc7304018b8406c5dcb75b9424f3c6d5f80b240000000cb8005008087252a2312f70284c037cce4eafab6109b933abe19523f21a05aee3cd20b36a304512c07ccc272c70a0103f944429e204f406c73ee262f0b757b8f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{138F3F91-8B34-11EF-8EB4-4E0B11BE40FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08de1ea401fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435185995" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2328 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 3060 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3060 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3060 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3060 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2424 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2424 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2424 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2424 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe

"C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=FortniteChecker.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp

Files

\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/2260-46-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

memory/2260-47-0x0000000000DF0000-0x0000000000E12000-memory.dmp

memory/2260-48-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD97F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD9A2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ed715413e74f7feee39a71090b3b058
SHA1 e8795006227f2483e42d4f0acd2df669e9eea7ac
SHA256 49cfdd000aaed88b865ad0930557d56ffa8d0381d01acf830d171406f338a606
SHA512 f37ca00388e4ecb101610476e5dd86e603642f5f013c461e6ec77fb4ffd91e21a2910bebf964812154496a750e9a7b51f2028b637bdd0ba3f2b6f217e6cafddb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66e63ba56869656d4f34efbdaf1e4a6d
SHA1 658c0554f03b0aae1dc36ca796069b2fce32384e
SHA256 a12c347e33ba9ac8edb658f5cce1e9790b0b95ecdad835d984f817ebbeafac89
SHA512 cc38a5953ca92fa285352bb415677293595ebfebc4bba10b715198fe6f7fdb26af0f79e76849a2a2641bd8888d656664b5c8a79f2813c4780526e927dc5ec152

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60131cd3d87482ae87f2a2a8c6e3c952
SHA1 4c30d8b8ec59ecec0cac8c4884429d13b7a24f72
SHA256 843ee7d9cc64c1483cb2478aeb9d758a27b16d340136fc2ed52b68d31430626d
SHA512 1f6b2b947eeb743c739cbf12446eacfb0ad9416cdcb1f11c32a56809200608cf705e50bf550c88521a12e1cf77177b13408e5f2b56c363202ca3c0255d3b2521

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b7e7673abae9890ea888f0a3d912038
SHA1 8c1be1b871b481bb0ea2734042b093667ea0214b
SHA256 83fcd5debac987b14b643d480530f89e7eff02e550472df2efc0e410be7166e3
SHA512 af0d80a60bf3a9ba68589dfd18743b26d66156f012165623886e85bad720abc1e7c46c13f95ad64268a7a8a7c45dc29c0b1c43e6471198c01c8cbc555e4df905

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6287ed7db669a040b8ca50daf733dea3
SHA1 03cd7bbd767e90f659e9020c89cd35a840bafbab
SHA256 553d504f363940a67f9e35bc444b82febb27d16c9678cae69148026c2ff5a8f8
SHA512 5f8450c5303e8d0253792bd25b6ac1d6b696553d22c4be610f0b0b7167d5d5ca8d69ddc742e0888a9427f04ee64b4fe371ba1bed77220209056df0b5bf3a5ca3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acb04093ca2e9a0e2930060138b78a9a
SHA1 c8eaba3eee457e950da1e96d9d3d97d624be2099
SHA256 6475da7fdab1833a95c16f5bda2c96405c8f7d2d8ae917628e19249b3ad708c5
SHA512 33bc7f5c3197791527f4c7dcfcf132847341fb787e8d6ec7df22bcf08075b88fbf79bf03de1cb17ab1420ae62a3b19a072a8b82bde50eb9a47fc0517e957e4aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2a625da1b58e9446dae062ba6da891f
SHA1 0c15c4ebeb68debb1403a6fdfba6736b5ac51793
SHA256 7af859de228adeb18dcd98f0e11e5dc94c7ab12f9bdbb91738f4d5a6bc3c0754
SHA512 bdd63d8dbcae57fbca4ab10b1e85fbdf83e946a78e673e3e358701a50e4ab240f956a0f73d1ba02279f17374ee599951cbc461d30cc05fced6240d839037b2bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88001f1bae9a5eb1cf55a65d85a3dcfb
SHA1 cceb619cad66f3125556bffc936e7b51a4a91214
SHA256 c87634d33f42bd31ab37d3988706f578bcf5183498b8e01defa0f4cbccfe580b
SHA512 9bb1b06519eb2a9d6e799bd33cfed67794432f11dc540903bc0b3073072257426aaf7d46961db83a1280a97cfea0f5848b2c33c52d664bd5b37b1f483ff98b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b09fd62455ab9da751f868b1912586f1
SHA1 b37f8fd325ca0815b6a186d455e8d32dd8942bad
SHA256 c74855e13568eac8ee0b03abd637e01a79e46d01e08d2a43228e3318a162bb4e
SHA512 e11f9aa24b3e83d3b9d3226a46420b2ca84b0c33a5e26081b11822d2fe7a8ff5046d3c26eefdfc4555b1756302809ac02a5bc2b57b0fe314327216bba7c1b639

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25c9af4f6eb39a0a56c837c8e9d3ab44
SHA1 a6360086804167bfb4d5db35cd2f6cc143e066b9
SHA256 70c317ec2029215dd4802ee93d5ed44e72fd2a6d23f63bb2a9b37864ce585e44
SHA512 52b593e7551bdf008072bf69be86ca81e1de96362005efb89be13ef999f671ec1fee4028d439201bd9980f0df97a31c9cf85b5fa70e45ce8dd43a91bc684e2a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 883317c900498c94f9729fe5c29ce5c7
SHA1 c2f32872d0c9adb8f3e897c27d2044e0ce0ecf2c
SHA256 a331e9c6a0e3b80918679f6bf65d2c9920e1860f5fd1ae9d4238d549f59fb9e3
SHA512 8d645d0f40a5f4955ec4c5baafe4c0492032f7897c12ceb375fe7effffa4883cd1f1e8761ca0050748a1cf28e6c9daa79def676dd61339998031ecd14e691d3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fabae50e5071ffb4df263431c6d4c9c5
SHA1 f345c93b191d63dccc243c6bbc2b36fcc964e649
SHA256 d77c26a7dd5b4fd8f7b2e53d9fae6bdb302c25b3bd3f1606ce9b78658c552d86
SHA512 0dabc3b1b2c3cf05e5f2a70458d070a82072be78f492a2d856855393a4b9b13015729ff1aee1f380000723ed3097881d04f34a578241ede879b7cd7ad41aafbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bc7d93464efadecf2ab5f52b441d2e4
SHA1 12f83f42f19d6929a833bdc05c4eb2476b621bde
SHA256 d2d2fb17135b3cb5f25006126ff410b8eb3e4accd690c8f9389d5910bdbd43a8
SHA512 8c97928f1f54a1b8187aee615c07e453a2c4d18363d837d2e51dc50ae5aeadbe827cee7c2a32f74a9430a4b93a0df1a1ef60154a12b96de2b08b21ca7af7a9a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55d59f76a9baffaba3d4c1faf23ad33f
SHA1 c9582e9357a0c1e7e3849b3dd5630f60d70ebdc5
SHA256 d70c9350e1b622b2b1365a0f1f1e4d2a363cd4594113b776d7837ff184ddc8c1
SHA512 df2a6fb354ed4d8ecc3d3d760a894d2309f1c7966e7d79db53e8a88b7530f0885fe9c60fa790abec61a7222503fc33486189da43f7be9a11baabdf621f22e263

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 933ab9bb87d2d45b9e4e00a5e4e60cbe
SHA1 2fb5c8c284c3813e701f319ec695ef5b3718ffdf
SHA256 459386c30382e9e540acac7386bf35bb9417f030be8fc2fd525dc982eaa33263
SHA512 de4ee045dc172bc99e1324677fb105eeda8fcd490c8d097abcb558e47da1cda17fe2165f435108b166150964de986ac514c8388b103902a05374fbb2ec096c99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3e55c8911174a4e84eef5362f909ebd
SHA1 65694a15f4f5f146c3ece799a222132a081f2f79
SHA256 2ff4cc01d754d80d1afa6e4569dc919af9845f824f01bfdd8f79d5c23f915aca
SHA512 3ceaac69150c9b7186e19530e13879e3423c934d334e1f24aeec45b86d05a3afd420994ec1a88b12efc7a629340d6b5257c2a13e3b545c071bc0d78e5f85e40b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af76b0cf3014cc47b401c5762c7ed32a
SHA1 a2b4bf3c3451ba149954d6faf037093717240093
SHA256 ad92cdb67610ccccc7ff285003dd3f2ddd94e0222f2793b9e615aa8abf858eab
SHA512 ec28504e4e291bf42abfa5e7b9b869f9c754ead982ba0ba9c07c8fc177a0656fd8c40ce21dd54430b5ceb51e3be54244afaaf7b53d28baf95635a7b494b9dcd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df551ed1b3096cfb2d147c10ba910860
SHA1 749681d3b077fa23fcc692acca5709a1d22c0b3d
SHA256 c1a7cd2e6b8007d7c34b1a54767eb936f69d1ecc3af0391983eb426b3d6d9ce1
SHA512 ad70428ba14a21832e48b7fe1a398cd7cb8019ee64c274afe0602a51e23e0ae03ba16672d96295dbbbdc4a97476dfe1e7de6245628f4fcc2530d65d61158480d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 20:28

Reported

2024-10-15 20:31

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe

"C:\Users\Admin\AppData\Local\Temp\FortniteChecker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/2952-39-0x000000007311E000-0x000000007311F000-memory.dmp

memory/960-41-0x0000000000470000-0x000000000048C000-memory.dmp

memory/2952-40-0x0000000000EC0000-0x0000000000EE2000-memory.dmp

memory/960-42-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/960-43-0x00000000053B0000-0x0000000005954000-memory.dmp

memory/960-44-0x0000000004D20000-0x0000000004DB2000-memory.dmp

memory/2952-45-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/960-47-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/960-46-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper.dll

MD5 c0b9e366d95e367ea4330187439b711b
SHA1 4674c657037b891f2f0cd3977976ef71b578b1b3
SHA256 dffad53f0349e00a1444f71465d7c66aa8758644879d9f628677d5ba8307322a
SHA512 dbd75f3f700f316eabf237235bb148e6098e9ccc313e215922f4b2f6adceea4f4dfb22f933bae6bf6c8693e9387f4dd94aedc8a650e4d8379f70038a7da2afc5

memory/960-51-0x00000000060B0000-0x00000000060D8000-memory.dmp

memory/2952-52-0x000000007311E000-0x000000007311F000-memory.dmp

memory/960-53-0x0000000073110000-0x00000000738C0000-memory.dmp

memory/2952-54-0x0000000073110000-0x00000000738C0000-memory.dmp