Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2023, 14:22

General

  • Target

    FiveM.exe

  • Size

    4.9MB

  • MD5

    4a036dffd4eba55a9a5bdebd5cfa01b5

  • SHA1

    f3e232cd319f2dc310fd2816f388a87db354ae04

  • SHA256

    223789990716c446bd1175f4bc74ad01393d90014b1581b23c8b73bb265df78f

  • SHA512

    eab762da142332f0ac7bf75793ceb839c2607e8689090f44d832f7583502cb9964024b70a64d56cf8cddb2a0c7079aaf5dc903ab33657c6dfa2dc731a123879a

  • SSDEEP

    49152:pOjPWgEPD9u3+aM9toyPnDe8VjoitsVyNKUVOjhxwkhHC0u0iVJtfSJQiUzvgaQp:1Dlri8loPVlMRFSn/5rFXjPSm+m

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FiveM.exe
    "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
    1⤵
    • Modifies Control Panel
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new
      CitizenFX.exe.new -bootstrap "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Users\Admin\AppData\Local\Temp\FiveM.exe
        "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
          "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
            "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:2080 -parentpid:2012
            5⤵
            • Executes dropped EXE
            PID:1244
  • C:\Windows\System32\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
    1⤵
      PID:4740
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1664
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:1396
    • C:\Windows\System32\GameBarPresenceWriter.exe
      "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
      1⤵
        PID:4636
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2808
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:4644
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1836
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4212
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:4316

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-2372\data\control\settings.meta.tmp

        Filesize

        37KB

        MD5

        3656c6636cd9dbceaf83230c3c9a2be9

        SHA1

        989f27c6736a943fd4690091fed26f7c17e3c17f

        SHA256

        f9ae094812ce9fbd56b58dab7739451792aba8f56c5f21eee15ef96682b413a6

        SHA512

        52bbb8f2b2d6183f30b908d9171a2ec8c2128bbce145b7af0095d4c199b1ec431d650ec4ed0b1b6cbc7bcc8d29da3285cdcc61368faa8c4e57b45315ced4e4ad

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\release.txt

        Filesize

        6B

        MD5

        10b02a6b5bc2d1de6ac109733336731c

        SHA1

        a92822e2e1b6179d2cb8f7be467d86688896acb9

        SHA256

        3aeb0ef47e06dd3c13cede7682fa22b018fc16ad4daed573cf6855b31fdf7103

        SHA512

        33a3aecfb505abbe1d0b8fac9757445e36c1dd7632373db55538d49312d5598122fc6cd0bdb1c00bde197174087b485f5e6032b8657a78053bc0adf864f75549

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\lua\natives_universal.lua.tmp

        Filesize

        1.7MB

        MD5

        ddd04cbd5c98ce7e8e14f9d3ccf9f8d8

        SHA1

        21aff52505176aa7b5d95bd926f285ce97c9fa0c

        SHA256

        8bf2a402b6c88fc78f9272ce7cf3f3ffee959884222c37c350decf35acc596dd

        SHA512

        f27d7999459b55a337f38c4340c962bfcd6399c88db4d973d20d55e7940916a2916a131e9f838689bedad6a836074f6b7737c731e1c57320bc0e309c69b4e2ad

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.d.ts.tmp

        Filesize

        1.9MB

        MD5

        02624d948e2734c4c225d5283a7cec38

        SHA1

        ff60f59a98449ed344e97d3f403a095cb79f4fc7

        SHA256

        ae669fd35b5394820ff987685cf01b2aee554ae4a7aa35290d78e2b97390bfce

        SHA512

        8e40b9a8ca0ff13e42cef6c56b54338e893c6bc9c61efddb6dd0fead80d15d9b3bd204a9fddd63e4b11006e810bcb00db264b9e1ce77be22374665503bec72bb

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.js.tmp

        Filesize

        1.8MB

        MD5

        2a22ca628d424eb11ea19b127cd86d92

        SHA1

        5159f67b3517d6e735d118482f024355d449dfab

        SHA256

        4d6ca19d6b3ef12f4c5800c5f233c7995b7c201e467e15963141e127b84053cf

        SHA512

        eabadf805c546c3d0bc53d6c13c8cf6ea1388b73db8b9a6457cb96c92cd13f8ca948c83cae72d7dbe57f62fb801247ecac1d6bd2f23814dd76cab509a6fef103

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

        Filesize

        157B

        MD5

        f9d948aa9426cb1a2a82e651b81a1912

        SHA1

        2d496caeef3b0bff6b91b99e58736cea51366348

        SHA256

        b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

        SHA512

        a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

        Filesize

        157B

        MD5

        f9d948aa9426cb1a2a82e651b81a1912

        SHA1

        2d496caeef3b0bff6b91b99e58736cea51366348

        SHA256

        b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

        SHA512

        a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.exe

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\FiveM\FiveM.exe

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

        Filesize

        28KB

        MD5

        e24e981beffca33b218cdb886226ee17

        SHA1

        5a38222e1f5c7144c5bc7a944b7b9848baa85488

        SHA256

        9f55911f86f70621726149d61c9bc2cecdd6e250ea5b15ee122f9e7c1ae1586a

        SHA512

        2dec87fe795ce6115f5dc82c79bef7323b84f57d32170bef59acc4f1bc5bf2e9c6da1b7e9609ebe4ecec71847372727139a874179cbfbaaafe9b45f417232243

      • C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\Temp\FiveM.exe

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\Temp\FiveM.exe

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Local\Temp\FiveM.exe

        Filesize

        5.0MB

        MD5

        0375f7f677f5f2526104e8e4a3d7b15a

        SHA1

        6b0c063fd798beb2e5da771215fa8b5be824641a

        SHA256

        b37cac5df3d4265cfbb3344d4c71de6db15089586ab16e203eb0adb96ac47b81

        SHA512

        03e2e915c0d983940f123ff05290d8f3e11fa884eed6cba224db88e77ba469b3e0e5e681d65ae1bc386ada79d2768a948c07c614cd518a0e41de81c228c1b5de

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk

        Filesize

        2KB

        MD5

        3e73a9a5e272b30b86f32b6e6ae7dacc

        SHA1

        12f8ff8c0edc80e3505cb1f40b5dffb67b922a10

        SHA256

        95ce79a9d98371549fb75bb24f627b77c0eacd6573697413ef95f7c9b9e0ef3e

        SHA512

        a516a431f0695b444202e2759d86a2101785e2b01eb6718cdab07cf658bef7314fc7234b28c9110e205342cf7973d2f8b7e536ea98807cab949d4a228eefd48d

      • C:\Users\Admin\Videos\Captures\desktop.ini

        Filesize

        190B

        MD5

        b0d27eaec71f1cd73b015f5ceeb15f9d

        SHA1

        62264f8b5c2f5034a1e4143df6e8c787165fbc2f

        SHA256

        86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

        SHA512

        7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

      • C:\Users\Admin\Videos\Captures\desktop.ini

        Filesize

        190B

        MD5

        b0d27eaec71f1cd73b015f5ceeb15f9d

        SHA1

        62264f8b5c2f5034a1e4143df6e8c787165fbc2f

        SHA256

        86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

        SHA512

        7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c