Overview

overview

10

Static

static

10

fortnite.exe

windows7-x64

10

fortnite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fortnite.exe

  • Size

    1.4MB

  • MD5

    7f9573605fc3b7c5a13a4b09118c77e5

  • SHA1

    2541aebb664df60b014a2093232cfd4994a9130c

  • SHA256

    d9d68a7e91ad17c3db6dd4f00b4ff9a27cc27e3da41f694f444b9514eda3072f

  • SHA512

    fce7e4fef0018a50ab7d306571d41bc8f25e6ba55edf6401b82192c25b25e6f9c39002347e5d92dc40c42bf534fb7c13ab7d53c0696ffadaeea82e9618231be1

  • SSDEEP

    24576:HFe/U3CReTrOmfrD10xs76dJKnCjkIL4I9fGzPvW4C30Wemex2ze+9S4:HFeVROf31es7KcnD9RP

Score
10/10
darkvisiondefense_evasionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

154.216.17.115

https://rentry.co/razorrat/rawYDHXBF8ZTF

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fortnite.exe
    "C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
      2⤵
        PID:4992
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
        2⤵
        • Hide Artifacts: Hidden Files and Directories
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\ProgramData\Microsoft\WindowsApps"
          3⤵
          • Views/modifies file attributes
          PID:1868
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionExtension 'exe'" >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionExtension 'exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3416
      • C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
        "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe"
        2⤵
        • Executes dropped EXE
        PID:220
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 3
        2⤵
          PID:3940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
        Filesize

        443KB

        MD5

        6edcc30095aaa8bad21c5e0a1a92aa9c

        SHA1

        ac4dc007d65625f55579b16893a0b490e5c6f48a

        SHA256

        ba3cc8d5120e54c6c8dd15143cddf6b2040e83704caad04373b05ea5fa9a9179

        SHA512

        06ec237b2ad8002740f104c04213c03c101cc8a4587527135bdb87ca488fac542250209af96cc348d2196a7b3fabe51a035e52c9401000f486e6a6a9c07c46bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctszo3fz.umk.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1632-1-0x00007FFBF2983000-0x00007FFBF2985000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1632-11-0x00007FFBF2980000-0x00007FFBF3441000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1632-12-0x000001A9D5990000-0x000001A9D59B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1632-13-0x00007FFBF2980000-0x00007FFBF3441000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1632-16-0x00007FFBF2980000-0x00007FFBF3441000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2280-0-0x000002D11E7A0000-0x000002D11E81B000-memory.dmp

        Filesize

        492KB

        Download

      • memory/2280-25-0x000002D11E7A0000-0x000002D11E81B000-memory.dmp

        Filesize

        492KB

        Download