Analysis
-
max time kernel
80s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-09-2022 12:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe
Resource
win10v2004-20220812-en
General
-
Target
https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
FIVEM_MOD.exeFIVEM_MOD.exepid process 1268 FIVEM_MOD.exe 1812 FIVEM_MOD.exe -
Loads dropped DLL 4 IoCs
Processes:
iexplore.exeFIVEM_MOD.exepid process 2032 iexplore.exe 1812 FIVEM_MOD.exe 1368 1368 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Detects Pyinstaller 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe.gkycd19.partial pyinstaller \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe pyinstaller C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe pyinstaller C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe pyinstaller \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe pyinstaller \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe pyinstaller -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2085136935d3d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A13F37F1-3F28-11ED-AD72-5E7A81A7298C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371132901" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 2032 iexplore.exe 2032 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2032 iexplore.exe 2032 iexplore.exe 1700 IEXPLORE.EXE 1700 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
iexplore.exeFIVEM_MOD.exedescription pid process target process PID 2032 wrote to memory of 1700 2032 iexplore.exe IEXPLORE.EXE PID 2032 wrote to memory of 1700 2032 iexplore.exe IEXPLORE.EXE PID 2032 wrote to memory of 1700 2032 iexplore.exe IEXPLORE.EXE PID 2032 wrote to memory of 1700 2032 iexplore.exe IEXPLORE.EXE PID 2032 wrote to memory of 1268 2032 iexplore.exe FIVEM_MOD.exe PID 2032 wrote to memory of 1268 2032 iexplore.exe FIVEM_MOD.exe PID 2032 wrote to memory of 1268 2032 iexplore.exe FIVEM_MOD.exe PID 1268 wrote to memory of 1812 1268 FIVEM_MOD.exe FIVEM_MOD.exe PID 1268 wrote to memory of 1812 1268 FIVEM_MOD.exe FIVEM_MOD.exe PID 1268 wrote to memory of 1812 1268 FIVEM_MOD.exe FIVEM_MOD.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/cjmonty152/fivem-mod-menu/raw/main/FIVEM_MOD.exe1⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59d53af18b68d5c6c8d59aaa572e7e20c
SHA15fd984ae12c82eaefee9b39b4a427c4df199a7c4
SHA25668d43e1b0b7a782c0b42b363ee8a73ce7110a576e112ecd4649ea96ca8834639
SHA5129a265b55d6d975aec70b6730cc8b98e2ac9e54a1b635d2089113c572a40229ef95c23a7b4d16d6374dd820e07a6e480050779fb48b1796a7df627fc8b73a63ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exeFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exeFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exe.gkycd19.partialFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
C:\Users\Admin\AppData\Local\Temp\_MEI12682\python310.dllFilesize
4.2MB
MD5e9c0fbc99d19eeedad137557f4a0ab21
SHA18945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA2565783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA51274e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\URLX78W3.txtFilesize
603B
MD5d519fb440b4a2ba90660760d7fcd3512
SHA136731ef0a1021816f9513498e2ba29fa552e90a3
SHA256b050d2930c7e5352a0dfcb1c5fe293267460101d03bbdaad93372b00feae7dc4
SHA512eb3b816786ed2304a1425ed3b448f1dad08db620579ed8cb8adce9b18a7f6c4b54c870212b6b4e8c5cfeb816dbc70c381f74d4a82ee0a6a251dba2ae39a688aa
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exeFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exeFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\FIVEM_MOD.exeFilesize
11.1MB
MD59d8a459a8934c015e42275b35c64169c
SHA186111f3f93eae33f48c0e344d8ec6c4273984621
SHA25651d682da69891bcc92fe42a2d5eb597d72a511951d7303661b91411ddd3b3aba
SHA512f6247773c657faea58f6a64033fca8dcacf237a6db890cc64a3f5f88418033b120abbbb172df26e7fd5328c8712e6643b90ef4f72751f34c61326e82418a806e
-
\Users\Admin\AppData\Local\Temp\_MEI12682\python310.dllFilesize
4.2MB
MD5e9c0fbc99d19eeedad137557f4a0ab21
SHA18945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA2565783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA51274e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b
-
memory/1268-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmpFilesize
8KB
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1812-59-0x0000000000000000-mapping.dmp