Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 20:20
Behavioral task
behavioral1
Sample
FortniteCheeto1.1.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
FortniteCheeto1.1.exe
Resource
win10v2004-20241007-en
General
-
Target
FortniteCheeto1.1.exe
-
Size
1.9MB
-
MD5
c45c467e8f19f30607d53008089f3cf3
-
SHA1
1adb8f8fe7fd4ea27a15b078b6689f02af232ccf
-
SHA256
b665d95a5937bfe91d3519e449155f167318ef349ddc2a51b216353cbc5b1c20
-
SHA512
a7b8ba1abc5f4c06a21f73f236721f384aaaa843005d30e4eefdd5707bb16774f9ca8fac4e8d93219d83627a192256f34c5bc287419480813cb86ad3465b9ff5
-
SSDEEP
49152:jbA3wn9R0GVO1ZNksxh3TsRs+6dZdOk7KEE:jbD9RDmhYRsZgk7O
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/files/0x0007000000016d67-16.dat dcrat behavioral1/memory/2944-18-0x00000000001F0000-0x000000000038A000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2944 runtimeCommon.exe -
Loads dropped DLL 2 IoCs
pid Process 2956 cmd.exe 2956 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FortniteCheeto1.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2944 runtimeCommon.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2636 2648 FortniteCheeto1.1.exe 30 PID 2648 wrote to memory of 2636 2648 FortniteCheeto1.1.exe 30 PID 2648 wrote to memory of 2636 2648 FortniteCheeto1.1.exe 30 PID 2648 wrote to memory of 2636 2648 FortniteCheeto1.1.exe 30 PID 2648 wrote to memory of 1264 2648 FortniteCheeto1.1.exe 31 PID 2648 wrote to memory of 1264 2648 FortniteCheeto1.1.exe 31 PID 2648 wrote to memory of 1264 2648 FortniteCheeto1.1.exe 31 PID 2648 wrote to memory of 1264 2648 FortniteCheeto1.1.exe 31 PID 2636 wrote to memory of 2956 2636 WScript.exe 32 PID 2636 wrote to memory of 2956 2636 WScript.exe 32 PID 2636 wrote to memory of 2956 2636 WScript.exe 32 PID 2636 wrote to memory of 2956 2636 WScript.exe 32 PID 2956 wrote to memory of 2944 2956 cmd.exe 34 PID 2956 wrote to memory of 2944 2956 cmd.exe 34 PID 2956 wrote to memory of 2944 2956 cmd.exe 34 PID 2956 wrote to memory of 2944 2956 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\FortniteCheeto1.1.exe"C:\Users\Admin\AppData\Local\Temp\FortniteCheeto1.1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\1wa1BUh.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\BBAqvAKWKrWt.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\runtimeCommon.exe"C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\runtimeCommon.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\file.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:1264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD58aaf65e9a4b184cc61fc117355e48a61
SHA10ba44f4ce530344eacd0b01722e1aa0ade006746
SHA256da33a2cec81c558c778bed1b1bd7d4caf6e9ea48eacf583fa937ee313211ea73
SHA512c4dbd6b9cd62ac26d1448686fa31ff1d0974fcd18c771d8e46eff8e9aef4d1f381192273bcd45a6d5839d8e7a2e02f531f8d34785d576854f691a1d514cfd85b
-
Filesize
46B
MD55e0bc3d4dd27ad8c6f85acc90bcfa735
SHA1d7980e7faeb79ac69da52c808d652050982d77ab
SHA256cb211cb3ef76b929b4fc9f53eae8308706c93e692fdc74642eff5420b9a45d54
SHA512f0d89447947a86167d63b5b6a8908893700490f85c4a7700ed96bcbf55ef851720e38512b85338dd10a55b9326ae0d5ff48177466a87167b029c87a4ef196b7f
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
1.6MB
MD584bf077031e73a69872de07165984eb2
SHA1271b1eef1fb981127b0bb2f76a57a0d39660dfe1
SHA256d53b2b40551489366ffaeb04010273d93d0426354e61305bb9b6eb0e4c0be7ad
SHA51210c2fa39ff50c6d82a03c348be97d8862e39215c35b13575cec91efe5a3f3bcd07d7051d43b21ec8769dbb0157662cc7506e7b18ec9b8aef1866aea1def4b73b