Analysis

  • max time kernel
    147s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 00:11

General

  • Target

    VXM.exe

  • Size

    63KB

  • MD5

    829239de570b423d6cf714c6f2f9d2cd

  • SHA1

    1dce551d2edf5e5f8d992a9073ed5d7f3868995e

  • SHA256

    1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb

  • SHA512

    a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d

  • SSDEEP

    768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7

Score
10/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

Attributes
  • delay

    1

  • install

    true

  • install_file

    Fortnite Cheats.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VXM.exe
    "C:\Users\Admin\AppData\Local\Temp\VXM.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4636
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp46EC.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2396
      • C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
        "C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2000
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3096
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"
      1⤵
        PID:3088
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"
        1⤵
          PID:1280
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"
          1⤵
            PID:1168

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
            Filesize

            63KB

            MD5

            829239de570b423d6cf714c6f2f9d2cd

            SHA1

            1dce551d2edf5e5f8d992a9073ed5d7f3868995e

            SHA256

            1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb

            SHA512

            a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d

          • C:\Users\Admin\AppData\Local\Temp\tmp46EC.tmp.bat
            Filesize

            162B

            MD5

            11bdf42619800d23321eb5e3154713a6

            SHA1

            a8613bc7f60529af21aa89f8d3ec7c77d6b9ad4d

            SHA256

            3b3be63f4c48922499a55a4ca0f15bd6cf083e93b35690f4296016143d334e7f

            SHA512

            50fdf0955c4c380e6fefe640c11cbc379a2007bdadd4c0337bfc200e69b6147a9a961d3a5f7e8117c549b1e4a0346cea85c6776312d2df534f697d5f6a9c0760

          • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em3096
            Filesize

            74B

            MD5

            cefea1cd57f735b6e86fad1d171fb4bd

            SHA1

            9c93c5d89946bfd342b0cf988e68b70c511e1701

            SHA256

            6296ff8438e450093c68d1a348ecdc4a96e3cdc5c51ec128026ef190cafa1e2a

            SHA512

            6d3f369faefd6f7e0dcdac62471965d0ba9184c98100bd50861a9d07eb1e845a1ab06ba20579363ac28988f79b491748dd71b8253a43d31ddd0ba8dbd299260d

          • memory/1168-21-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmp
            Filesize

            96KB

          • memory/1168-18-0x00007FF755F70000-0x00007FF756068000-memory.dmp
            Filesize

            992KB

          • memory/1168-22-0x00007FFE97290000-0x00007FFE972A7000-memory.dmp
            Filesize

            92KB

          • memory/1168-20-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmp
            Filesize

            2.7MB

          • memory/1168-19-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmp
            Filesize

            208KB

          • memory/1168-23-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmp
            Filesize

            68KB

          • memory/1280-25-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmp
            Filesize

            208KB

          • memory/1280-27-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmp
            Filesize

            96KB

          • memory/1280-28-0x00007FFE97290000-0x00007FFE972A7000-memory.dmp
            Filesize

            92KB

          • memory/1280-26-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmp
            Filesize

            2.7MB

          • memory/1280-24-0x00007FF755F70000-0x00007FF756068000-memory.dmp
            Filesize

            992KB

          • memory/1280-29-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmp
            Filesize

            68KB

          • memory/1596-0-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp
            Filesize

            8KB

          • memory/1596-7-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp
            Filesize

            10.8MB

          • memory/1596-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp
            Filesize

            88KB

          • memory/1596-2-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp
            Filesize

            10.8MB

          • memory/3088-16-0x00007FFE97290000-0x00007FFE972A7000-memory.dmp
            Filesize

            92KB

          • memory/3088-15-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmp
            Filesize

            96KB

          • memory/3088-14-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmp
            Filesize

            2.7MB

          • memory/3088-17-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmp
            Filesize

            68KB

          • memory/3088-12-0x00007FF755F70000-0x00007FF756068000-memory.dmp
            Filesize

            992KB

          • memory/3088-13-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmp
            Filesize

            208KB

          • memory/3096-57-0x00007FFE83190000-0x00007FFE831A1000-memory.dmp
            Filesize

            68KB

          • memory/3096-52-0x00007FFE82D60000-0x00007FFE82F6B000-memory.dmp
            Filesize

            2.0MB

          • memory/3096-55-0x00007FFE831B0000-0x00007FFE831D1000-memory.dmp
            Filesize

            132KB

          • memory/3096-59-0x00007FFE83150000-0x00007FFE83161000-memory.dmp
            Filesize

            68KB

          • memory/3096-58-0x00007FFE83170000-0x00007FFE83181000-memory.dmp
            Filesize

            68KB

          • memory/3096-43-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmp
            Filesize

            208KB

          • memory/3096-56-0x00007FFE86800000-0x00007FFE86818000-memory.dmp
            Filesize

            96KB

          • memory/3096-54-0x00007FFE831E0000-0x00007FFE83221000-memory.dmp
            Filesize

            260KB

          • memory/3096-53-0x00007FFE83230000-0x00007FFE83297000-memory.dmp
            Filesize

            412KB

          • memory/3096-51-0x00007FFE87D60000-0x00007FFE87D71000-memory.dmp
            Filesize

            68KB

          • memory/3096-50-0x00007FFE8A7A0000-0x00007FFE8A7BD000-memory.dmp
            Filesize

            116KB

          • memory/3096-49-0x00007FFE8F930000-0x00007FFE8F941000-memory.dmp
            Filesize

            68KB

          • memory/3096-48-0x00007FFE90040000-0x00007FFE90057000-memory.dmp
            Filesize

            92KB

          • memory/3096-47-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmp
            Filesize

            68KB

          • memory/3096-46-0x00007FFE97290000-0x00007FFE972A7000-memory.dmp
            Filesize

            92KB

          • memory/3096-45-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmp
            Filesize

            96KB

          • memory/3096-44-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmp
            Filesize

            2.7MB

          • memory/3096-42-0x00007FF755F70000-0x00007FF756068000-memory.dmp
            Filesize

            992KB