Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 00:15
Behavioral task
behavioral1
Sample
VXM.exe
Resource
win7-20240508-en
General
-
Target
VXM.exe
-
Size
63KB
-
MD5
829239de570b423d6cf714c6f2f9d2cd
-
SHA1
1dce551d2edf5e5f8d992a9073ed5d7f3868995e
-
SHA256
1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
-
SHA512
a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
SSDEEP
768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
-
delay
1
-
install
true
-
install_file
Fortnite Cheats.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Fortnite Cheats.exepid process 2668 Fortnite Cheats.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2716 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
VXM.exepid process 2916 VXM.exe 2916 VXM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VXM.exeFortnite Cheats.exedescription pid process Token: SeDebugPrivilege 2916 VXM.exe Token: SeDebugPrivilege 2668 Fortnite Cheats.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
VXM.execmd.execmd.exedescription pid process target process PID 2916 wrote to memory of 2032 2916 VXM.exe cmd.exe PID 2916 wrote to memory of 2032 2916 VXM.exe cmd.exe PID 2916 wrote to memory of 2032 2916 VXM.exe cmd.exe PID 2916 wrote to memory of 1916 2916 VXM.exe cmd.exe PID 2916 wrote to memory of 1916 2916 VXM.exe cmd.exe PID 2916 wrote to memory of 1916 2916 VXM.exe cmd.exe PID 2032 wrote to memory of 2656 2032 cmd.exe schtasks.exe PID 2032 wrote to memory of 2656 2032 cmd.exe schtasks.exe PID 2032 wrote to memory of 2656 2032 cmd.exe schtasks.exe PID 1916 wrote to memory of 2716 1916 cmd.exe timeout.exe PID 1916 wrote to memory of 2716 1916 cmd.exe timeout.exe PID 1916 wrote to memory of 2716 1916 cmd.exe timeout.exe PID 1916 wrote to memory of 2668 1916 cmd.exe Fortnite Cheats.exe PID 1916 wrote to memory of 2668 1916 cmd.exe Fortnite Cheats.exe PID 1916 wrote to memory of 2668 1916 cmd.exe Fortnite Cheats.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VXM.exe"C:\Users\Admin\AppData\Local\Temp\VXM.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp28C5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exeFilesize
63KB
MD5829239de570b423d6cf714c6f2f9d2cd
SHA11dce551d2edf5e5f8d992a9073ed5d7f3868995e
SHA2561f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
SHA512a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
C:\Users\Admin\AppData\Local\Temp\tmp28C5.tmp.batFilesize
162B
MD55f4b1a5aad51ff7882e14e2b5b48cf0c
SHA17ccb5e04dc5c15888c6f765010c391e6a07dff5d
SHA256fd814f024998977989e7494ebb7dc56186134521a14489efd92e8a5cbf994d00
SHA512d966ca5f388dd12763ba78a06e36a10683e3e7b39d90c82079e20ef1c6790e348feb47ce2c314ce736386d4630d1e15ecaa58365cfaa443790d3fffc2a8d3b89
-
memory/2668-17-0x0000000001350000-0x0000000001366000-memory.dmpFilesize
88KB
-
memory/2916-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmpFilesize
4KB
-
memory/2916-1-0x00000000011A0000-0x00000000011B6000-memory.dmpFilesize
88KB
-
memory/2916-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB
-
memory/2916-3-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB
-
memory/2916-12-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB