Analysis Overview
SHA256
5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e
Threat Level: Known bad
The file flemme.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 02:15
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 02:15
Reported
2024-08-03 02:18
Platform
win7-20240704-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\flemme.exe
"C:\Users\Admin\AppData\Local\Temp\flemme.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\executorroblox.exe
"C:\Users\Admin\AppData\Roaming\executorroblox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2604-0-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2604-1-0x0000000000320000-0x0000000000342000-memory.dmp
memory/2604-2-0x0000000074970000-0x000000007505E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.bat
| MD5 | d001c657ff868f11c827df83ef18eec6 |
| SHA1 | 6f267d7e728abcf0f0d16349254e89c2ecfb2dd1 |
| SHA256 | ab89fcf4e004ef1707a3261a8ba9582fa7cb9dc4623f6f4cc0955d0e5f10bcc9 |
| SHA512 | a73c0900a7da5df3fcce0a5bfa3779dcb564d2237f9a75291de704827ed7c45585064a2ec9d2afdac1717e5593a9f5e2de7f144d1d61d291056623d027d6347f |
memory/2604-12-0x0000000074970000-0x000000007505E000-memory.dmp
\Users\Admin\AppData\Roaming\executorroblox.exe
| MD5 | 2dd4a3e79a430fcf80e0c16c059c4c2c |
| SHA1 | b32b851bb2746acfa2035d6765f7827e5880debb |
| SHA256 | 5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e |
| SHA512 | cae7ef83d8eb0f77d018dae6327b46cbb61e68623d64551492f883b9903a00ff410a9bda7c84f4348497e55b34490b315f855b95288e71710076cb246863a6a4 |
memory/2756-16-0x0000000001020000-0x0000000001042000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 02:15
Reported
2024-08-03 02:18
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\flemme.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\executorroblox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\flemme.exe
"C:\Users\Admin\AppData\Local\Temp\flemme.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "executorroblox" /tr '"C:\Users\Admin\AppData\Roaming\executorroblox.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\executorroblox.exe
"C:\Users\Admin\AppData\Roaming\executorroblox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/988-0-0x000000007486E000-0x000000007486F000-memory.dmp
memory/988-1-0x0000000000A60000-0x0000000000A82000-memory.dmp
memory/988-2-0x0000000074860000-0x0000000075010000-memory.dmp
memory/988-3-0x0000000005430000-0x00000000054CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.bat
| MD5 | b625d5df6fd74d495433d7ca93364ddb |
| SHA1 | c909de770b3494ad027c7bd766a296bc060fb4b7 |
| SHA256 | b64c76e182e1c41ca5d9a43b5498344cfe283d3b98694999e75476c5384011c4 |
| SHA512 | 22d78cbaf5300393c86e6f112f98bcdf95b29e755f13b31faa10fcdc568a362af0e1442a228cc4a9002141474dacfb945918ea353eaf17e62c39f808a2cc3375 |
memory/988-9-0x0000000074860000-0x0000000075010000-memory.dmp
C:\Users\Admin\AppData\Roaming\executorroblox.exe
| MD5 | 2dd4a3e79a430fcf80e0c16c059c4c2c |
| SHA1 | b32b851bb2746acfa2035d6765f7827e5880debb |
| SHA256 | 5969e616a32e7cb09dd32ddca0c37e989a6131edb5c4a7b4367400c3f0e8527e |
| SHA512 | cae7ef83d8eb0f77d018dae6327b46cbb61e68623d64551492f883b9903a00ff410a9bda7c84f4348497e55b34490b315f855b95288e71710076cb246863a6a4 |
memory/5000-13-0x00000000747E0000-0x0000000074F90000-memory.dmp
memory/5000-14-0x00000000747E0000-0x0000000074F90000-memory.dmp