Analysis Overview
SHA256
5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e
Threat Level: Known bad
The file flemme.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Asyncrat family
Async RAT payload
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 20:52
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 20:52
Reported
2024-08-02 20:53
Platform
win10v2004-20240802-en
Max time kernel
49s
Max time network
3s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\flemme.exe
"C:\Users\Admin\AppData\Local\Temp\flemme.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60C8.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
C:\Users\Admin\AppData\Roaming\executorroblox.exe
"C:\Users\Admin\AppData\Roaming\executorroblox.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/1544-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/1544-1-0x0000000000EA0000-0x0000000000EC2000-memory.dmp
memory/1544-2-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/1544-3-0x0000000005870000-0x000000000590C000-memory.dmp
memory/1544-8-0x00000000749D0000-0x0000000075180000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp60C8.tmp.bat
| MD5 | ad4487171a46a8c713b07815b8a8b2c6 |
| SHA1 | c091b8f35e77717e506226991251bec0776f09e9 |
| SHA256 | c2ddf405b9cb36576951f245d32e88e34e526e8345489e5b1c520b4392078e6d |
| SHA512 | 81dfe8b7bc5a7a921c1ba23d0fa3b03111c8e7b0556585606681e66bfce5eea844d3034cba138a5e613b5c2d8b83ab558ba67b0882371758e52103475bbfe835 |
C:\Users\Admin\AppData\Roaming\executorroblox.exe
| MD5 | 2dd4a3e79a430fcf80e0c16c059c4c2c |
| SHA1 | b32b851bb2746acfa2035d6765f7827e5880debb |
| SHA256 | 5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e |
| SHA512 | cae7ef83d8eb0f77d018dae6327b46cbb61e68623d64551492f883b9903a00ff410a9bda7c84f4348497e55b34490b315f855b95288e71710076cb246863a6a4 |
memory/1936-13-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/948-16-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-15-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-14-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-23-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-26-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-25-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-24-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-22-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-21-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/948-20-0x000001FC89CE0000-0x000001FC89CE1000-memory.dmp
memory/1936-27-0x0000000074920000-0x00000000750D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 20:52
Reported
2024-08-02 20:53
Platform
win7-20240729-en
Max time kernel
53s
Max time network
16s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\flemme.exe
"C:\Users\Admin\AppData\Local\Temp\flemme.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\executorroblox.exe
"C:\Users\Admin\AppData\Roaming\executorroblox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/2888-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp
memory/2888-1-0x0000000000AD0000-0x0000000000AF2000-memory.dmp
memory/2888-2-0x0000000074E80000-0x000000007556E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC330.tmp.bat
| MD5 | 551ad3a685dfcb9dc733adb098f3f9cf |
| SHA1 | 4e158979bdae6a4946e21abb20bece23aee0a811 |
| SHA256 | b3823658234d99c6af1220ac554533c6f2075b79c91996e5459e90941f53b19b |
| SHA512 | 6b973cbf3b5cbe8767e3244ae1c48012803e526681c5063fb9b5be60b43d0202b6d1a21bdf39b8dae62aa0e397b3cd941bdbb4b0afa4abbd7aa01b9e0661f666 |
memory/2888-12-0x0000000074E80000-0x000000007556E000-memory.dmp
\Users\Admin\AppData\Roaming\executorroblox.exe
| MD5 | 2dd4a3e79a430fcf80e0c16c059c4c2c |
| SHA1 | b32b851bb2746acfa2035d6765f7827e5880debb |
| SHA256 | 5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e |
| SHA512 | cae7ef83d8eb0f77d018dae6327b46cbb61e68623d64551492f883b9903a00ff410a9bda7c84f4348497e55b34490b315f855b95288e71710076cb246863a6a4 |
memory/2880-16-0x0000000001090000-0x00000000010B2000-memory.dmp