Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
CHEAT/Fortnite External.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CHEAT/Fortnite External.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CHEAT/driver.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
CHEAT/kdmapper.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
CHEAT/kdmapper.exe
Resource
win10v2004-20241007-en
General
-
Target
CHEAT/Fortnite External.exe
-
Size
495KB
-
MD5
22ee5558a9504c7b2059f0a26f35ef7e
-
SHA1
4226d8358c0320a0e75880eea33fa295ba5b67e2
-
SHA256
8b47cac5895c2c83c3ad486d5987da9198f071edb48900bc8ef6a53f36e915c3
-
SHA512
feaf731ea60aece9eb870d86db4caa2c6120da1ddce9dff68d1d721a03cfb15e73504b6897b2de1ef8fdb7920cb7ba65431eeca8c5513c03850608c4bc9a1295
-
SSDEEP
6144:TM78NdNWy+72xpgpjk/wUd967MjBUwzJZWnwHnQx35lA3xC552TUqeM9IUukRjIC:TPdwgxpEs9hzZWn1UxCj2AqeMQmU
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
pid Process 2396 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2396 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 860 wrote to memory of 1272 860 Fortnite External.exe 31 PID 860 wrote to memory of 1272 860 Fortnite External.exe 31 PID 860 wrote to memory of 1272 860 Fortnite External.exe 31 PID 860 wrote to memory of 2372 860 Fortnite External.exe 32 PID 860 wrote to memory of 2372 860 Fortnite External.exe 32 PID 860 wrote to memory of 2372 860 Fortnite External.exe 32 PID 2372 wrote to memory of 2396 2372 cmd.exe 33 PID 2372 wrote to memory of 2396 2372 cmd.exe 33 PID 2372 wrote to memory of 2396 2372 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEAT\Fortnite External.exe"C:\Users\Admin\AppData\Local\Temp\CHEAT\Fortnite External.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-