Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 00:11
Behavioral task
behavioral1
Sample
VXM.exe
Resource
win7-20240508-en
General
-
Target
VXM.exe
-
Size
63KB
-
MD5
829239de570b423d6cf714c6f2f9d2cd
-
SHA1
1dce551d2edf5e5f8d992a9073ed5d7f3868995e
-
SHA256
1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
-
SHA512
a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
SSDEEP
768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
-
delay
1
-
install
true
-
install_file
Fortnite Cheats.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Fortnite Cheats.exepid process 2780 Fortnite Cheats.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1320 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
VXM.exepid process 2156 VXM.exe 2156 VXM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
VXM.exeFortnite Cheats.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2156 VXM.exe Token: SeDebugPrivilege 2780 Fortnite Cheats.exe Token: 33 2088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2088 AUDIODG.EXE Token: 33 2088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2088 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
VXM.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 1276 2156 VXM.exe cmd.exe PID 2156 wrote to memory of 1276 2156 VXM.exe cmd.exe PID 2156 wrote to memory of 1276 2156 VXM.exe cmd.exe PID 2156 wrote to memory of 2756 2156 VXM.exe cmd.exe PID 2156 wrote to memory of 2756 2156 VXM.exe cmd.exe PID 2156 wrote to memory of 2756 2156 VXM.exe cmd.exe PID 1276 wrote to memory of 2736 1276 cmd.exe schtasks.exe PID 1276 wrote to memory of 2736 1276 cmd.exe schtasks.exe PID 1276 wrote to memory of 2736 1276 cmd.exe schtasks.exe PID 2756 wrote to memory of 1320 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 1320 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 1320 2756 cmd.exe timeout.exe PID 2756 wrote to memory of 2780 2756 cmd.exe Fortnite Cheats.exe PID 2756 wrote to memory of 2780 2756 cmd.exe Fortnite Cheats.exe PID 2756 wrote to memory of 2780 2756 cmd.exe Fortnite Cheats.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VXM.exe"C:\Users\Admin\AppData\Local\Temp\VXM.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1601⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exeFilesize
63KB
MD5829239de570b423d6cf714c6f2f9d2cd
SHA11dce551d2edf5e5f8d992a9073ed5d7f3868995e
SHA2561f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
SHA512a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.batFilesize
162B
MD55de2e7dbdd0afb9774ec6c1e5a5dfbbd
SHA1a39e23d4921e389c062ed52edbeab8229608e68b
SHA256bdc84f3e7236221614fbd731db31029980634ba807d5b8c2c2a9b216f2bc0235
SHA512ef23ab96c686f1a16dd1e028ae9c555831baf5d7d602860bafabc6bf4434d5ceee059856212a6ff92653131388968219dd43bbc165344345904728293a638b8f
-
memory/2156-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmpFilesize
4KB
-
memory/2156-1-0x0000000000D10000-0x0000000000D26000-memory.dmpFilesize
88KB
-
memory/2156-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2156-11-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2156-13-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2780-17-0x0000000000C00000-0x0000000000C16000-memory.dmpFilesize
88KB