Overview

overview

8

Static

static

URLScan

urlscan

https://github.com/c...

windows7-x64

8

https://github.com/c...

windows10-2004-x64

8

Analysis

  • max time kernel
    80s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2022 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe

Score
8/10
pyinstaller

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Detects Pyinstaller 6 IoCs
    pyinstaller
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1700
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9d53af18b68d5c6c8d59aaa572e7e20c

    SHA1

    5fd984ae12c82eaefee9b39b4a427c4df199a7c4

    SHA256

    68d43e1b0b7a782c0b42b363ee8a73ce7110a576e112ecd4649ea96ca8834639

    SHA512

    9a265b55d6d975aec70b6730cc8b98e2ac9e54a1b635d2089113c572a40229ef95c23a7b4d16d6374dd820e07a6e480050779fb48b1796a7df627fc8b73a63ad

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe.gkycd19.partial
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI12682\python310.dll
    Filesize

    4.2MB

    MD5

    e9c0fbc99d19eeedad137557f4a0ab21

    SHA1

    8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

    SHA256

    5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

    SHA512

    74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\URLX78W3.txt
    Filesize

    603B

    MD5

    d519fb440b4a2ba90660760d7fcd3512

    SHA1

    36731ef0a1021816f9513498e2ba29fa552e90a3

    SHA256

    b050d2930c7e5352a0dfcb1c5fe293267460101d03bbdaad93372b00feae7dc4

    SHA512

    eb3b816786ed2304a1425ed3b448f1dad08db620579ed8cb8adce9b18a7f6c4b54c870212b6b4e8c5cfeb816dbc70c381f74d4a82ee0a6a251dba2ae39a688aa

    Download Submit
  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe
    Filesize

    11.1MB

    MD5

    9d8a459a8934c015e42275b35c64169c

    SHA1

    86111f3f93eae33f48c0e344d8ec6c4273984621

    SHA256

    51d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba

    SHA512

    f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI12682\python310.dll
    Filesize

    4.2MB

    MD5

    e9c0fbc99d19eeedad137557f4a0ab21

    SHA1

    8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

    SHA256

    5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

    SHA512

    74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

    Download Submit
  • memory/1268-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-59-0x0000000000000000-mapping.dmp
    Download