Overview

overview

10

Static

static

10

fortnite.exe

windows7-x64

10

fortnite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fortnite.exe

  • Size

    1.4MB

  • MD5

    5999098b0f0e4e25e826092a7f1e7598

  • SHA1

    76f8454429e4a59e4b7361415a6d62e08207577e

  • SHA256

    74e66581cda6b55f9dbfcfe260faec1dad8a38d9fa0c5c2f45e64d16e6a11d4e

  • SHA512

    7d43edd26d68f5f51478a6e8f75652bf15a9704c89f4d70c6115c51989c9e60a726124c4ddabd5a95917a537b066a0d6ecef3b737492706e82e5493a63ce36c1

  • SSDEEP

    24576:PW0EbEOAkR+9yJgoHqWnKwVIL4I9fGzPvW4C30Wemex2ze+9S:PW0kTdnn9RP

Score
10/10
darkvisiondefense_evasionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

154.216.17.115

https://rentry.co/razorrat/rawYDHXBF8ZTF

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fortnite.exe
    "C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
      2⤵
        PID:4704
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\WindowsApps" >nul 2>&1
        2⤵
        • Hide Artifacts: Hidden Files and Directories
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\ProgramData\Microsoft\WindowsApps"
          3⤵
          • Views/modifies file attributes
          PID:1932
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionExtension 'exe'" >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionExtension 'exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4792
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "OperationEnigma" /tr "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe" /sc onlogon /rl highest /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1984
      • C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
        "C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe"
        2⤵
        • Executes dropped EXE
        PID:3516
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 3
        2⤵
          PID:4324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\WindowsApps\OperationEnigma4.exe
        Filesize

        443KB

        MD5

        6edcc30095aaa8bad21c5e0a1a92aa9c

        SHA1

        ac4dc007d65625f55579b16893a0b490e5c6f48a

        SHA256

        ba3cc8d5120e54c6c8dd15143cddf6b2040e83704caad04373b05ea5fa9a9179

        SHA512

        06ec237b2ad8002740f104c04213c03c101cc8a4587527135bdb87ca488fac542250209af96cc348d2196a7b3fabe51a035e52c9401000f486e6a6a9c07c46bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykvlo1jd.0a5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1612-0-0x00000255FDE30000-0x00000255FDEAB000-memory.dmp

        Filesize

        492KB

        Download

      • memory/1612-25-0x00000255FDE30000-0x00000255FDEAB000-memory.dmp

        Filesize

        492KB

        Download

      • memory/4792-1-0x00007FFEBCFA3000-0x00007FFEBCFA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4792-7-0x0000028969A80000-0x0000028969AA2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4792-12-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4792-13-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4792-16-0x00007FFEBCFA0000-0x00007FFEBDA61000-memory.dmp

        Filesize

        10.8MB

        Download