Analysis
-
max time kernel
133s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
FiveM Bypass.exe
Resource
win7-20240215-en
General
-
Target
FiveM Bypass.exe
-
Size
241KB
-
MD5
a0d36bbd0bdab7b2ea4521203aed3c33
-
SHA1
5d04bc0d4ba783fa29a382fd243435dff8f0a260
-
SHA256
f88a226250d6a6179189d9639a45af0ef770ad895e1f6587ce92306b4b3bacbd
-
SHA512
5d105ab0e61b1d2ed2a3891fd5303e3d50ccb7e0915f2d22d67ef12558833a780871865ddfcf7c57a084b7b29a7ddc1264ca5a362bda70b409ff9add7dbb3a09
-
SSDEEP
6144:jc+hPtX8JNetxjNgE59powhV4V4+AykkkQQT3+F:Xhu4tME592whV4V4+zxBF
Malware Config
Extracted
nanocore
1.2.2.0
crsiedem7.ddns.net:3344
41708a94-2adc-42c6-924a-7a0c689adc8e
-
activate_away_mode
true
-
backup_connection_host
crsiedem7.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-12T22:12:55.821021136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3344
-
default_group
Rated
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
41708a94-2adc-42c6-924a-7a0c689adc8e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
crsiedem7.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
setup..exesetup_.exepid process 3400 setup..exe 2240 setup_.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
setup..exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" setup..exe -
Processes:
setup..exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup..exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup..exedescription ioc process File created C:\Program Files (x86)\LAN Monitor\lanmon.exe setup..exe File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe setup..exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
setup_.exesetup..exepid process 2240 setup_.exe 2240 setup_.exe 3400 setup..exe 3400 setup..exe 3400 setup..exe 3400 setup..exe 3400 setup..exe 3400 setup..exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
setup..exepid process 3400 setup..exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
setup..exedescription pid process Token: SeDebugPrivilege 3400 setup..exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
FiveM Bypass.exedescription pid process target process PID 3068 wrote to memory of 3400 3068 FiveM Bypass.exe setup..exe PID 3068 wrote to memory of 3400 3068 FiveM Bypass.exe setup..exe PID 3068 wrote to memory of 3400 3068 FiveM Bypass.exe setup..exe PID 3068 wrote to memory of 2240 3068 FiveM Bypass.exe setup_.exe PID 3068 wrote to memory of 2240 3068 FiveM Bypass.exe setup_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FiveM Bypass.exe"C:\Users\Admin\AppData\Local\Temp\FiveM Bypass.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup..exe"C:\Users\Admin\AppData\Local\Temp\setup..exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup_.exe"C:\Users\Admin\AppData\Local\Temp\setup_.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\setup..exeFilesize
202KB
MD5d48c8fb24cc3e567feb6a63b05aa24fd
SHA1d2ebc64dddb19d0dee0ed03fa10f9d7168da322e
SHA256f3fd4b098d5f7a89055e6c21dc27515ef511ebfb8371d7d09558403b22698107
SHA512f048679c7733a05987a9b6834c8616f79c9a284c44e263e6a1d508b34afb3b9ed4a80beae4a9bc0c1707ed605787749ffa45d972e87044f9a7dc2e5409658424
-
C:\Users\Admin\AppData\Local\Temp\setup_.exeFilesize
17KB
MD5471328f6bb7f8e4196c2714d80c403a5
SHA182036886792cc9904b9b093e70b110ef35bfaeb1
SHA25660aa0df8bbac2239079ce74605ddda43f8308881ab7000d67aafcdb07c99b31e
SHA512cfdb152843c00db02fe66f208fc0d7b7c31c5454b353c47ec8270636e301853775935c07e4b30d56f097376f062517d1078ed3c1e12277b346bd22e695e15049
-
memory/3400-7-0x0000000074DF2000-0x0000000074DF3000-memory.dmpFilesize
4KB
-
memory/3400-9-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/3400-10-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/3400-13-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/3400-14-0x0000000074DF2000-0x0000000074DF3000-memory.dmpFilesize
4KB
-
memory/3400-15-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/3400-16-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB