b4c4135c6d4900a344721f210a6f9ad5ae7f3658fa4e1ad99b177313a05d3cce

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RIP Tweaks Free Pack V4/Problem Fixes/Revert Fortnite Launch Problem.bat
Size

421B
MD5

7b76612b5c17e433be96a95c779dea78
SHA1

ead334620c99e4d523efa2f4a8dfc72d57a5ec9e
SHA256

8800d8bf0060e79e07e0bd45636faa2e2f3480c0b62f57f0cfcc001ee8f683cf
SHA512

022c5c7dd174fa98932e3b06bdfd27b790d7649e6e85b942d28fdf50df7384c54963b74b43739ab470bef50fc6ef2bbc331157dd3fd53555841060907dbd3439

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	reg.exe
2832	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2756	2684	cmd.exe	32
PID 2684 wrote to memory of 2756	2684	cmd.exe	32
PID 2684 wrote to memory of 2756	2684	cmd.exe	32
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2684 wrote to memory of 2832	2684	cmd.exe	34
PID 2684 wrote to memory of 2832	2684	cmd.exe	34
PID 2684 wrote to memory of 2832	2684	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RIP Tweaks Free Pack V4\Problem Fixes\Revert Fortnite Launch Problem.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKLM\Software\Policies\Microsoft\Windows\QoS\FortniteClient-Win64" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortniteClient-Win64-Shipping.exe\PerfOptions" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2812
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortniteClient-Win64-Shipping.exe" /v "UseLargePages" /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads