Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 19:46

General

  • Target

    Fortnite Checker.exe

  • Size

    883KB

  • MD5

    5ff30ec323f9e6ec632ea3b2180a1cbc

  • SHA1

    aba95d8f4f7f634170cbad0461a3e6e0a4574059

  • SHA256

    d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

  • SHA512

    e990b1de0d4f6c2f830bca0ddea747ab733289f8fc45f2da1b9e20128b9eabb51c8f2ed62ca0346bdbb20ca73b4ab871e2a0298e1f4df9d559d4bbee41cce66c

  • SSDEEP

    12288:GToPWBv/cpGrU3ywFm/byWr+5q+LViWdEVr9WoMwtubIwyqd7zw:GTbBv5rU4/b9SDmVr98w009qdHw

Malware Config

Signatures

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

  • Vanillarat family
  • Vanilla Rat payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Roaming\Fortnite.exe
      "C:\Users\Admin\AppData\Roaming\Fortnite.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2092
    • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
      "C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=FortniteChecker.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ceb13dd4a2f0bbdd666609d9fdcd7b0b

    SHA1

    08893c61a06dc022b6a34b4a53976cab9d33a4f5

    SHA256

    613dea987ad4243094cda72019e5a41be21c2d535fbf62a307f7f6bb7ebc26b5

    SHA512

    39820bdf188787a1a01e2f72d9b22de78f3ee32d73f7dc99a6da2c03cf31a0a2127a5c2ea189bea7d6206c8a1512204fd4ef5ae80360f30135098a5281b26a00

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    854ab631168daee6dfb63b9818e041f5

    SHA1

    33e227d5c90dce3e2af82815981f7ab15068859c

    SHA256

    94505744492820fd66d2823db82337b63ab8ef48aa52e67ed2dc46e1c1729913

    SHA512

    b4b7baee68b9e4356c69c54d9ea19f3b05fcbeee84f391dd556901c5a00573d732d3f566250e8a4d19b8e99e23c059d7bf05ef66e8e5683242aa5cb89adc609d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fbbc234b6bce8c9978eed84b293d1232

    SHA1

    5c4ab5e86129c30c4676b1deaf585b671176ec1a

    SHA256

    11b5c954c975885258348f0bc881c5cc319500c3f38001508225e9d1a0e802eb

    SHA512

    830e3acb96908243304dace27ca6b5cb49451423a888b024c99d5b169d480f7cb8ac352abac745d2a3394f32361b2bf58a80586229c85f14e5c6ae8d68c50cac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a29a22bcdb4350132cb16bc8e06f3fa7

    SHA1

    aa3c440f6dd81ca5a8eeefdd11893d7555e197bf

    SHA256

    e18a6d56cd84c8ee2fe3f5e1ed7b9dafff3166951d5e122b4b992548f29ee3e9

    SHA512

    aae57f8e05e2177cf355d974ad20713fa774377a860ed36fb4cb017f4dddd44b6530a531241ed169ef52fd0f237d226376d13393c82d58b3bf5f9c3ca6aacdb9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    db6a19493c28caf0c98759fcd7725f1a

    SHA1

    62a8ae9d9648921c7d5d1597a9357f4d1ca62335

    SHA256

    708a57a6221c3b10b0af6a699e77fee69e41df9d02bfb6fff2029f34c5768945

    SHA512

    d957736ae410df54829c7a134b03d568a70775efebc29c61f0cfccded441eed26128384b68a62f69092834ee82b5ae627fafcbb881f77c008bb0541f47a2c1b2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a9836e6797fe4e2860bd7ae382cf6d4d

    SHA1

    836230615ee6e2027b76293268c318635d524356

    SHA256

    66dc2544004182d9a7186e6fc8291f5faa6c9ca60068389a217f2a2804fd40dd

    SHA512

    57a1345c51b8d685488871dd8d87498bcdbbe04cb1eb27eaa303441ff0bbed3e1cc8589dfb9a92d8a3053002f71853bad4666b375047ce938a30d481ba28e098

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1ac8010a9a4c6922f550a4293068a758

    SHA1

    8b1b9c4b3cd310f449ae9e40c496f8504cc9633a

    SHA256

    b045e1bdfb56b5fbee96540f3ea5b75c914b57556bab52aeb91a889ea2ebfb0c

    SHA512

    ca450aeaeb805d0be7532be9cc7a4cec3e620f7c47754627b74c934a26052d962085631ab190838e6e0ad251a84c2928bbbee58cdfdf15eb9b7cc8f045e41c2e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dbfb88b46d12b387922254cea66df03d

    SHA1

    500429a5ac1d309396c457323981c6d426da1ade

    SHA256

    69f1f5a36a33328a6f520b30c7eb5fe6d7c5821b621b242d3b29192b3469e7fa

    SHA512

    a5d90cac0860f415b471d21e1f39a8ff877ce3921d3ba2ce533c12be0fe29c209904aef06d8d3445b41d3942004752edb325d8232a9f5d63628f7597484968c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    10e1ee1bbeeaaa246032e0b26fad96fe

    SHA1

    23c56275f46571a680b497cd67ee0a13d8100c7e

    SHA256

    8f6c4ed897d7b425283a72233e65d110651f00ac5e3d6c8f9b4995b06ec67acb

    SHA512

    5c218e70c49c61970778268dd0a0911947773a1dfc2d734317da72f1ba1c69efc3add60a1750d75084ede7c85ab9a7f0896466208d78d92bb9123d7732227444

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa3458141e8d7b52608510157f169af4

    SHA1

    750593493309cab577d5cca26bdbede5b4c5266c

    SHA256

    7761f110a67d0dfa8edb318464a9c001a2b5c9b11643a419335e7c67697edff5

    SHA512

    5acd20862e9077eb70a1a5a99374e820718daa3b7e208b237e35e6566f6e077ba77dbfb75b935e4cb76ba0e56d5ebbe8915a18e1645f386492323a4d82713cd5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    87256df764d27fb00fa0f2673a6834c1

    SHA1

    e3d4dbaa465b9701e139f7bf15f2eee6a31337f9

    SHA256

    272d6c8154e763db38fff71ce3a3ca04b02c250cdb0c88d16b66f71f248b10b7

    SHA512

    f1da98501071d5b8dfbfcf8eb66412c33785f2a5b500830df244aa29153da7d06f60bf74878bd411aa0fad283bc0457fcbb47a424e4092788dcc344cff4d5cb8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    448a1bdf866c60ab183895724bec2daa

    SHA1

    fddae6cc8b946ba8568030df3a2c958db9cc2968

    SHA256

    82a777d7856b5213bb5322aa42eaadcfcfc9674884d473c1ec781f77e0de7a9a

    SHA512

    ee84675469821076f2c8ccf9cfa6f050cc243599a01d0d8dd793a92d0516d2c26f751909f719206b9156c0d97243e627b21817a796c477d31513f0aba802967f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    525604d5be3c9a0e8b8345ecf6d4f525

    SHA1

    21a0cbfeefaeb607a8c1f356cd8d85f9679a8144

    SHA256

    31e9f0c5fae9dcf728d8bc29a9a9696bf03c8ba598156bc23cb926afc51b21d5

    SHA512

    a7f21bf3370a3b508567b22fe1c92e64ba47dac777bbff7f8e1cc5295069c37af67f24640829f9b27b6851acff9bc65530328593ac807820b80a772ba42c69b6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    470d2f102bec5ee8aeda5aa23305feea

    SHA1

    28d96ac0c7513f6ee25d650f5a910562fc9c4aa6

    SHA256

    0d6b954d980e8def9f82c94d81a317614d4929dda09185977e8cab1deb3fb12b

    SHA512

    683eb7f6e2ac8af32893b7dd7d99af4368e3431d318d36112968421b8e5ed2734246fd76d1fcc50acf6666cea80f5b2c49d3caa6dd798479e274f5c827a2a178

  • C:\Users\Admin\AppData\Local\Temp\CabE919.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE93B.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

    Filesize

    184B

    MD5

    13ff21470b63470978e08e4933eb8e56

    SHA1

    3fa7077272c55e85141236d90d302975e3d14b2e

    SHA256

    16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a

    SHA512

    56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

  • \Users\Admin\AppData\Roaming\Fortnite.exe

    Filesize

    114KB

    MD5

    4bd20275a3148a44bf040367a43f6fe2

    SHA1

    4faa5b6fca5f3b31b00995b4372f635b1ed3a019

    SHA256

    98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336

    SHA512

    ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

  • \Users\Admin\AppData\Roaming\FortniteChecker.exe

    Filesize

    83KB

    MD5

    f5d8bedb9dcc17a0a356f2f3f621971e

    SHA1

    76ed7763602cc198be87b3eb51949f54ae9c0f9b

    SHA256

    355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe

    SHA512

    ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

  • memory/2092-406-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

  • memory/2092-47-0x00000000011A0000-0x00000000011C2000-memory.dmp

    Filesize

    136KB

  • memory/2092-46-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB