Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 00:11

General

  • Target

    VXM.exe

  • Size

    63KB

  • MD5

    829239de570b423d6cf714c6f2f9d2cd

  • SHA1

    1dce551d2edf5e5f8d992a9073ed5d7f3868995e

  • SHA256

    1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb

  • SHA512

    a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d

  • SSDEEP

    768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7

Score
10/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

Attributes
  • delay

    1

  • install

    true

  • install_file

    Fortnite Cheats.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VXM.exe
    "C:\Users\Admin\AppData\Local\Temp\VXM.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2736
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1320
      • C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
        "C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1368
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x160
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2088

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
      Filesize

      63KB

      MD5

      829239de570b423d6cf714c6f2f9d2cd

      SHA1

      1dce551d2edf5e5f8d992a9073ed5d7f3868995e

      SHA256

      1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb

      SHA512

      a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d

    • C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp.bat
      Filesize

      162B

      MD5

      5de2e7dbdd0afb9774ec6c1e5a5dfbbd

      SHA1

      a39e23d4921e389c062ed52edbeab8229608e68b

      SHA256

      bdc84f3e7236221614fbd731db31029980634ba807d5b8c2c2a9b216f2bc0235

      SHA512

      ef23ab96c686f1a16dd1e028ae9c555831baf5d7d602860bafabc6bf4434d5ceee059856212a6ff92653131388968219dd43bbc165344345904728293a638b8f

    • memory/2156-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp
      Filesize

      4KB

    • memory/2156-1-0x0000000000D10000-0x0000000000D26000-memory.dmp
      Filesize

      88KB

    • memory/2156-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp
      Filesize

      9.9MB

    • memory/2156-11-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp
      Filesize

      9.9MB

    • memory/2156-13-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp
      Filesize

      9.9MB

    • memory/2780-17-0x0000000000C00000-0x0000000000C16000-memory.dmp
      Filesize

      88KB