Analysis Overview
SHA256
1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb
Threat Level: Known bad
The file VXM.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Async RAT payload
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-21 00:15
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 00:15
Reported
2024-06-21 00:18
Platform
win7-20240508-en
Max time kernel
145s
Max time network
118s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VXM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VXM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VXM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VXM.exe
"C:\Users\Admin\AppData\Local\Temp\VXM.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp28C5.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp |
Files
memory/2916-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp
memory/2916-1-0x00000000011A0000-0x00000000011B6000-memory.dmp
memory/2916-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
memory/2916-3-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp28C5.tmp.bat
| MD5 | 5f4b1a5aad51ff7882e14e2b5b48cf0c |
| SHA1 | 7ccb5e04dc5c15888c6f765010c391e6a07dff5d |
| SHA256 | fd814f024998977989e7494ebb7dc56186134521a14489efd92e8a5cbf994d00 |
| SHA512 | d966ca5f388dd12763ba78a06e36a10683e3e7b39d90c82079e20ef1c6790e348feb47ce2c314ce736386d4630d1e15ecaa58365cfaa443790d3fffc2a8d3b89 |
memory/2916-12-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
| MD5 | 829239de570b423d6cf714c6f2f9d2cd |
| SHA1 | 1dce551d2edf5e5f8d992a9073ed5d7f3868995e |
| SHA256 | 1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb |
| SHA512 | a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d |
memory/2668-17-0x0000000001350000-0x0000000001366000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 00:15
Reported
2024-06-21 00:18
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VXM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VXM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VXM.exe
"C:\Users\Admin\AppData\Local\Temp\VXM.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD83F.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Fortnite Cheats" /tr '"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp | |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| N/A | 127.0.0.1:3232 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:3232 | tcp |
Files
memory/4888-0-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/4888-1-0x0000000000380000-0x0000000000396000-memory.dmp
memory/4888-2-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4888-7-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4888-8-0x00007FF984460000-0x00007FF984F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD83F.tmp.bat
| MD5 | 3963a4748b30d91d9c6038c53714ee0f |
| SHA1 | 4454387ab82e60c5230ebc0a8b2533451bd7da73 |
| SHA256 | 5893aa9457ef7fa2c9767a837e2f95a4b540e8ea55bc7b9b9bf60028ffd2b447 |
| SHA512 | cb8301a963a1abaae9c7b74eeb35f6494e4e016a2547d16d384537f25f86baf7cd783c48472ae76f9e1288212152ea787b3677ae73262f1496322215ad07b5c2 |
C:\Users\Admin\AppData\Local\Temp\Fortnite Cheats.exe
| MD5 | 829239de570b423d6cf714c6f2f9d2cd |
| SHA1 | 1dce551d2edf5e5f8d992a9073ed5d7f3868995e |
| SHA256 | 1f10695674a259c0898cbfe22804af23807aebcc604f63a117afaf142c6ddbcb |
| SHA512 | a4fcfeeb61e1aaabd3f299f944c4de6190bc1c933b298c97a1e606824514549030370acb6c90120f9d195130afe1b2ce8138c5c18ad6d055113d0cb219986d2d |