24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4

General

Target

FiveM File + Error Fixer.exe
Size

93KB
MD5

45c9b9fa6b615cd1f013e13d8b3054bb
SHA1

fc0c3e255a13aa5ae27f6c290ce329bed5265453
SHA256

24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4
SHA512

743ec0a866258b81a65f432d9179a151f770e141a933ba43d640ce4479533207b5c105fd6a2fc15b6818bd4324a652209c3a3a64de81da372cd5e268d6a0d3d3
SSDEEP

1536:MPPmqVulfoEGUeFXAOPc+jEwzGi1dDjDmgS:MP8lfodUeBAOPcHi1dDL

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4428 netsh.exe
2808 netsh.exe
4480 netsh.exe

pid	process
4428	netsh.exe
2808	netsh.exe
4480	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FiveM File + Error Fixer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	FiveM File + Error Fixer.exe

Drops startup file 6 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\660d96b74fc3ffcb1da26329a0336912Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\660d96b74fc3ffcb1da26329a0336912Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

5004 server.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe
5004	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

5004 server.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe
Token: 33	5004	server.exe
Token: SeIncBasePriorityPrivilege	5004	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

server.exe

pid process

5004 server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FiveM File + Error Fixer.exeserver.exe

description	pid	process	target process
PID 4940 wrote to memory of 5004	4940	FiveM File + Error Fixer.exe	server.exe
PID 4940 wrote to memory of 5004	4940	FiveM File + Error Fixer.exe	server.exe
PID 4940 wrote to memory of 5004	4940	FiveM File + Error Fixer.exe	server.exe
PID 5004 wrote to memory of 4480	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 4480	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 4480	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 4428	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 4428	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 4428	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 2808	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 2808	5004	server.exe	netsh.exe
PID 5004 wrote to memory of 2808	5004	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\FiveM File + Error Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM File + Error Fixer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4480
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:4428
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
45c9b9fa6b615cd1f013e13d8b3054bb

SHA1
fc0c3e255a13aa5ae27f6c290ce329bed5265453

SHA256
24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4

SHA512
743ec0a866258b81a65f432d9179a151f770e141a933ba43d640ce4479533207b5c105fd6a2fc15b6818bd4324a652209c3a3a64de81da372cd5e268d6a0d3d3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
5014379cf5fa31db8a73d68d6353a145

SHA1
2a1a5138e8c9e7547caae1c9fb223afbf714ed00

SHA256
538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8

SHA512
5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

Download Submit
memory/4940-0-0x0000000074642000-0x0000000074643000-memory.dmp

Filesize
4KB

Download
memory/4940-1-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/4940-2-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/4940-13-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5004-14-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5004-54-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/5004-53-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads