Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 18:57
Behavioral task
behavioral1
Sample
Fortnite.exe
Resource
win7-20241010-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Fortnite.exe
-
Size
227KB
-
MD5
9b107d5d9f8df40eb30e3168ebe6f9dd
-
SHA1
6b61781552e8173e5bc446128b0683e3dde7ad68
-
SHA256
e6f71ac80e3dab87309de89a4840824b680ae897c19bda25a766b216595f30c5
-
SHA512
0a504481a0413a3de4d0e6e2a000a2371be46d6896c399b635f8e3ad7b5a777678a82502a2ec02ead689068c1a7ca9ceffddc7ce47607eff405dde9b7eaeb7fc
-
SSDEEP
6144:eloZM+rIkd8g+EtXHkv/iD45CcwZCl38e1mBi:IoZtL+EP8RNZ
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/3080-1-0x00000150FB4B0000-0x00000150FB4F0000-memory.dmp family_umbral -
Umbral family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3080 Fortnite.exe Token: SeIncreaseQuotaPrivilege 2084 wmic.exe Token: SeSecurityPrivilege 2084 wmic.exe Token: SeTakeOwnershipPrivilege 2084 wmic.exe Token: SeLoadDriverPrivilege 2084 wmic.exe Token: SeSystemProfilePrivilege 2084 wmic.exe Token: SeSystemtimePrivilege 2084 wmic.exe Token: SeProfSingleProcessPrivilege 2084 wmic.exe Token: SeIncBasePriorityPrivilege 2084 wmic.exe Token: SeCreatePagefilePrivilege 2084 wmic.exe Token: SeBackupPrivilege 2084 wmic.exe Token: SeRestorePrivilege 2084 wmic.exe Token: SeShutdownPrivilege 2084 wmic.exe Token: SeDebugPrivilege 2084 wmic.exe Token: SeSystemEnvironmentPrivilege 2084 wmic.exe Token: SeRemoteShutdownPrivilege 2084 wmic.exe Token: SeUndockPrivilege 2084 wmic.exe Token: SeManageVolumePrivilege 2084 wmic.exe Token: 33 2084 wmic.exe Token: 34 2084 wmic.exe Token: 35 2084 wmic.exe Token: 36 2084 wmic.exe Token: SeIncreaseQuotaPrivilege 2084 wmic.exe Token: SeSecurityPrivilege 2084 wmic.exe Token: SeTakeOwnershipPrivilege 2084 wmic.exe Token: SeLoadDriverPrivilege 2084 wmic.exe Token: SeSystemProfilePrivilege 2084 wmic.exe Token: SeSystemtimePrivilege 2084 wmic.exe Token: SeProfSingleProcessPrivilege 2084 wmic.exe Token: SeIncBasePriorityPrivilege 2084 wmic.exe Token: SeCreatePagefilePrivilege 2084 wmic.exe Token: SeBackupPrivilege 2084 wmic.exe Token: SeRestorePrivilege 2084 wmic.exe Token: SeShutdownPrivilege 2084 wmic.exe Token: SeDebugPrivilege 2084 wmic.exe Token: SeSystemEnvironmentPrivilege 2084 wmic.exe Token: SeRemoteShutdownPrivilege 2084 wmic.exe Token: SeUndockPrivilege 2084 wmic.exe Token: SeManageVolumePrivilege 2084 wmic.exe Token: 33 2084 wmic.exe Token: 34 2084 wmic.exe Token: 35 2084 wmic.exe Token: 36 2084 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3080 wrote to memory of 2084 3080 Fortnite.exe 85 PID 3080 wrote to memory of 2084 3080 Fortnite.exe 85