Analysis
-
max time kernel
147s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 00:11
Behavioral task
behavioral1
Sample
VXM.exe
Resource
win7-20240508-en
General
-
Target
VXM.exe
-
Size
63KB
-
MD5
829239de570b423d6cf714c6f2f9d2cd
-
SHA1
1dce551d2edf5e5f8d992a9073ed5d7f3868995e
-
SHA256
1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
-
SHA512
a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
SSDEEP
768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
-
delay
1
-
install
true
-
install_file
Fortnite Cheats.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VXM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VXM.exe -
Executes dropped EXE 1 IoCs
Processes:
Fortnite Cheats.exepid process 4988 Fortnite Cheats.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2396 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3096 vlc.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
VXM.exepid process 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe 1596 VXM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 3096 vlc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VXM.exeFortnite Cheats.exedescription pid process Token: SeDebugPrivilege 1596 VXM.exe Token: SeDebugPrivilege 4988 Fortnite Cheats.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
vlc.exepid process 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
vlc.exepid process 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe 3096 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 3096 vlc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
VXM.execmd.execmd.exedescription pid process target process PID 1596 wrote to memory of 3120 1596 VXM.exe cmd.exe PID 1596 wrote to memory of 3120 1596 VXM.exe cmd.exe PID 1596 wrote to memory of 4144 1596 VXM.exe cmd.exe PID 1596 wrote to memory of 4144 1596 VXM.exe cmd.exe PID 4144 wrote to memory of 2396 4144 cmd.exe timeout.exe PID 4144 wrote to memory of 2396 4144 cmd.exe timeout.exe PID 3120 wrote to memory of 4636 3120 cmd.exe schtasks.exe PID 3120 wrote to memory of 4636 3120 cmd.exe schtasks.exe PID 4144 wrote to memory of 4988 4144 cmd.exe Fortnite Cheats.exe PID 4144 wrote to memory of 4988 4144 cmd.exe Fortnite Cheats.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VXM.exe"C:\Users\Admin\AppData\Local\Temp\VXM.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp46EC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\SkipOut.mov"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exeFilesize
63KB
MD5829239de570b423d6cf714c6f2f9d2cd
SHA11dce551d2edf5e5f8d992a9073ed5d7f3868995e
SHA2561f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
SHA512a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
C:\Users\Admin\AppData\Local\Temp\tmp46EC.tmp.batFilesize
162B
MD511bdf42619800d23321eb5e3154713a6
SHA1a8613bc7f60529af21aa89f8d3ec7c77d6b9ad4d
SHA2563b3be63f4c48922499a55a4ca0f15bd6cf083e93b35690f4296016143d334e7f
SHA51250fdf0955c4c380e6fefe640c11cbc379a2007bdadd4c0337bfc200e69b6147a9a961d3a5f7e8117c549b1e4a0346cea85c6776312d2df534f697d5f6a9c0760
-
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em3096Filesize
74B
MD5cefea1cd57f735b6e86fad1d171fb4bd
SHA19c93c5d89946bfd342b0cf988e68b70c511e1701
SHA2566296ff8438e450093c68d1a348ecdc4a96e3cdc5c51ec128026ef190cafa1e2a
SHA5126d3f369faefd6f7e0dcdac62471965d0ba9184c98100bd50861a9d07eb1e845a1ab06ba20579363ac28988f79b491748dd71b8253a43d31ddd0ba8dbd299260d
-
memory/1168-21-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmpFilesize
96KB
-
memory/1168-18-0x00007FF755F70000-0x00007FF756068000-memory.dmpFilesize
992KB
-
memory/1168-22-0x00007FFE97290000-0x00007FFE972A7000-memory.dmpFilesize
92KB
-
memory/1168-20-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmpFilesize
2.7MB
-
memory/1168-19-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmpFilesize
208KB
-
memory/1168-23-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmpFilesize
68KB
-
memory/1280-25-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmpFilesize
208KB
-
memory/1280-27-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmpFilesize
96KB
-
memory/1280-28-0x00007FFE97290000-0x00007FFE972A7000-memory.dmpFilesize
92KB
-
memory/1280-26-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmpFilesize
2.7MB
-
memory/1280-24-0x00007FF755F70000-0x00007FF756068000-memory.dmpFilesize
992KB
-
memory/1280-29-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmpFilesize
68KB
-
memory/1596-0-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmpFilesize
8KB
-
memory/1596-7-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmpFilesize
10.8MB
-
memory/1596-1-0x0000000000F90000-0x0000000000FA6000-memory.dmpFilesize
88KB
-
memory/1596-2-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmpFilesize
10.8MB
-
memory/3088-16-0x00007FFE97290000-0x00007FFE972A7000-memory.dmpFilesize
92KB
-
memory/3088-15-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmpFilesize
96KB
-
memory/3088-14-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmpFilesize
2.7MB
-
memory/3088-17-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmpFilesize
68KB
-
memory/3088-12-0x00007FF755F70000-0x00007FF756068000-memory.dmpFilesize
992KB
-
memory/3088-13-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmpFilesize
208KB
-
memory/3096-57-0x00007FFE83190000-0x00007FFE831A1000-memory.dmpFilesize
68KB
-
memory/3096-52-0x00007FFE82D60000-0x00007FFE82F6B000-memory.dmpFilesize
2.0MB
-
memory/3096-55-0x00007FFE831B0000-0x00007FFE831D1000-memory.dmpFilesize
132KB
-
memory/3096-59-0x00007FFE83150000-0x00007FFE83161000-memory.dmpFilesize
68KB
-
memory/3096-58-0x00007FFE83170000-0x00007FFE83181000-memory.dmpFilesize
68KB
-
memory/3096-43-0x00007FFE989E0000-0x00007FFE98A14000-memory.dmpFilesize
208KB
-
memory/3096-56-0x00007FFE86800000-0x00007FFE86818000-memory.dmpFilesize
96KB
-
memory/3096-54-0x00007FFE831E0000-0x00007FFE83221000-memory.dmpFilesize
260KB
-
memory/3096-53-0x00007FFE83230000-0x00007FFE83297000-memory.dmpFilesize
412KB
-
memory/3096-51-0x00007FFE87D60000-0x00007FFE87D71000-memory.dmpFilesize
68KB
-
memory/3096-50-0x00007FFE8A7A0000-0x00007FFE8A7BD000-memory.dmpFilesize
116KB
-
memory/3096-49-0x00007FFE8F930000-0x00007FFE8F941000-memory.dmpFilesize
68KB
-
memory/3096-48-0x00007FFE90040000-0x00007FFE90057000-memory.dmpFilesize
92KB
-
memory/3096-47-0x00007FFE971D0000-0x00007FFE971E1000-memory.dmpFilesize
68KB
-
memory/3096-46-0x00007FFE97290000-0x00007FFE972A7000-memory.dmpFilesize
92KB
-
memory/3096-45-0x00007FFE98B60000-0x00007FFE98B78000-memory.dmpFilesize
96KB
-
memory/3096-44-0x00007FFE83C50000-0x00007FFE83F06000-memory.dmpFilesize
2.7MB
-
memory/3096-42-0x00007FF755F70000-0x00007FF756068000-memory.dmpFilesize
992KB