Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 20:20

General

  • Target

    FortniteCheeto1.1.exe

  • Size

    1.9MB

  • MD5

    c45c467e8f19f30607d53008089f3cf3

  • SHA1

    1adb8f8fe7fd4ea27a15b078b6689f02af232ccf

  • SHA256

    b665d95a5937bfe91d3519e449155f167318ef349ddc2a51b216353cbc5b1c20

  • SHA512

    a7b8ba1abc5f4c06a21f73f236721f384aaaa843005d30e4eefdd5707bb16774f9ca8fac4e8d93219d83627a192256f34c5bc287419480813cb86ad3465b9ff5

  • SSDEEP

    49152:jbA3wn9R0GVO1ZNksxh3TsRs+6dZdOk7KEE:jbD9RDmhYRsZgk7O

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FortniteCheeto1.1.exe
    "C:\Users\Admin\AppData\Local\Temp\FortniteCheeto1.1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\1wa1BUh.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\BBAqvAKWKrWt.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\runtimeCommon.exe
          "C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\runtimeCommon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\file.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\1wa1BUh.vbe

    Filesize

    212B

    MD5

    8aaf65e9a4b184cc61fc117355e48a61

    SHA1

    0ba44f4ce530344eacd0b01722e1aa0ade006746

    SHA256

    da33a2cec81c558c778bed1b1bd7d4caf6e9ea48eacf583fa937ee313211ea73

    SHA512

    c4dbd6b9cd62ac26d1448686fa31ff1d0974fcd18c771d8e46eff8e9aef4d1f381192273bcd45a6d5839d8e7a2e02f531f8d34785d576854f691a1d514cfd85b

  • C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\BBAqvAKWKrWt.bat

    Filesize

    46B

    MD5

    5e0bc3d4dd27ad8c6f85acc90bcfa735

    SHA1

    d7980e7faeb79ac69da52c808d652050982d77ab

    SHA256

    cb211cb3ef76b929b4fc9f53eae8308706c93e692fdc74642eff5420b9a45d54

    SHA512

    f0d89447947a86167d63b5b6a8908893700490f85c4a7700ed96bcbf55ef851720e38512b85338dd10a55b9326ae0d5ff48177466a87167b029c87a4ef196b7f

  • C:\Users\Admin\AppData\Roaming\DriverRefNetdhcp\file.vbs

    Filesize

    34B

    MD5

    677cc4360477c72cb0ce00406a949c61

    SHA1

    b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

    SHA256

    f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

    SHA512

    7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

  • \Users\Admin\AppData\Roaming\DriverRefNetdhcp\runtimeCommon.exe

    Filesize

    1.6MB

    MD5

    84bf077031e73a69872de07165984eb2

    SHA1

    271b1eef1fb981127b0bb2f76a57a0d39660dfe1

    SHA256

    d53b2b40551489366ffaeb04010273d93d0426354e61305bb9b6eb0e4c0be7ad

    SHA512

    10c2fa39ff50c6d82a03c348be97d8862e39215c35b13575cec91efe5a3f3bcd07d7051d43b21ec8769dbb0157662cc7506e7b18ec9b8aef1866aea1def4b73b

  • memory/2944-18-0x00000000001F0000-0x000000000038A000-memory.dmp

    Filesize

    1.6MB

  • memory/2944-19-0x00000000001C0000-0x00000000001CE000-memory.dmp

    Filesize

    56KB