Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 00:15
Behavioral task
behavioral1
Sample
VXM.exe
Resource
win7-20240508-en
General
-
Target
VXM.exe
-
Size
63KB
-
MD5
829239de570b423d6cf714c6f2f9d2cd
-
SHA1
1dce551d2edf5e5f8d992a9073ed5d7f3868995e
-
SHA256
1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
-
SHA512
a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
SSDEEP
768:MwmjppBf5978fEC8A+XYcliE4oWudjzJoB1+T4gSEGHmDbDuph0oX3YBXlSuclph:oF533R3NzJqbzUbYh93luclpqKmY7
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
-
delay
1
-
install
true
-
install_file
Fortnite Cheats.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VXM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation VXM.exe -
Executes dropped EXE 1 IoCs
Processes:
Fortnite Cheats.exepid process 4928 Fortnite Cheats.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4768 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
VXM.exepid process 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe 4888 VXM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VXM.exeFortnite Cheats.exedescription pid process Token: SeDebugPrivilege 4888 VXM.exe Token: SeDebugPrivilege 4928 Fortnite Cheats.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
VXM.execmd.execmd.exedescription pid process target process PID 4888 wrote to memory of 2820 4888 VXM.exe cmd.exe PID 4888 wrote to memory of 2820 4888 VXM.exe cmd.exe PID 4888 wrote to memory of 1420 4888 VXM.exe cmd.exe PID 4888 wrote to memory of 1420 4888 VXM.exe cmd.exe PID 2820 wrote to memory of 1780 2820 cmd.exe schtasks.exe PID 2820 wrote to memory of 1780 2820 cmd.exe schtasks.exe PID 1420 wrote to memory of 4768 1420 cmd.exe timeout.exe PID 1420 wrote to memory of 4768 1420 cmd.exe timeout.exe PID 1420 wrote to memory of 4928 1420 cmd.exe Fortnite Cheats.exe PID 1420 wrote to memory of 4928 1420 cmd.exe Fortnite Cheats.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VXM.exe"C:\Users\Admin\AppData\Local\Temp\VXM.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD83F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exeFilesize
63KB
MD5829239de570b423d6cf714c6f2f9d2cd
SHA11dce551d2edf5e5f8d992a9073ed5d7f3868995e
SHA2561f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
SHA512a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d
-
C:\Users\Admin\AppData\Local\Temp\tmpD83F.tmp.batFilesize
162B
MD53963a4748b30d91d9c6038c53714ee0f
SHA14454387ab82e60c5230ebc0a8b2533451bd7da73
SHA2565893aa9457ef7fa2c9767a837e2f95a4b540e8ea55bc7b9b9bf60028ffd2b447
SHA512cb8301a963a1abaae9c7b74eeb35f6494e4e016a2547d16d384537f25f86baf7cd783c48472ae76f9e1288212152ea787b3677ae73262f1496322215ad07b5c2
-
memory/4888-0-0x00007FF984463000-0x00007FF984465000-memory.dmpFilesize
8KB
-
memory/4888-1-0x0000000000380000-0x0000000000396000-memory.dmpFilesize
88KB
-
memory/4888-2-0x00007FF984460000-0x00007FF984F21000-memory.dmpFilesize
10.8MB
-
memory/4888-7-0x00007FF984460000-0x00007FF984F21000-memory.dmpFilesize
10.8MB
-
memory/4888-8-0x00007FF984460000-0x00007FF984F21000-memory.dmpFilesize
10.8MB