1cc3f1cc3b268f29acadd420ca19b80491851c9c69f833960d3674b324dea122

Analysis

max time kernel
357s
max time network
358s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MCG Server Launcher/MCG Server Launcher.exe
Size

2.1MB
MD5

3584a02b77f639b7d7fabe08797bb6eb
SHA1

906e6a9044eae39ab17e60e28c4de5a9807c65b3
SHA256

1c5c9ce6f9339eb57d39c35b166b5f64e8ea7f427d988aaa3a7d95ce81225e72
SHA512

72942199d4ee6146055919de00a224ae90a08e0c5c58f9155a9beca7f986169bbcb8e09e59cae16e83e29e59521cbad77ccf958550abd92a4fbeb0db6e9a43a0
SSDEEP

49152:j8mi6FoJtr7uht5r+LXKX6wZYKWHPo6lW9ssdrdjeN:j8mi6F4RujsLXmxMvnA91xeN

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	FiveM.exe
2412	CitizenFX.exe.new

Loads dropped DLL 2 IoCs

pid	Process
1644	MCG Server Launcher.exe
2084	FiveM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	FiveM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2032	1644	MCG Server Launcher.exe	28
PID 1644 wrote to memory of 2084	1644	MCG Server Launcher.exe	30
PID 1644 wrote to memory of 2084	1644	MCG Server Launcher.exe	30
PID 1644 wrote to memory of 2084	1644	MCG Server Launcher.exe	30
PID 1644 wrote to memory of 2084	1644	MCG Server Launcher.exe	30
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2032 wrote to memory of 2600	2032	cmd.exe	31
PID 2084 wrote to memory of 2412	2084	FiveM.exe	32
PID 2084 wrote to memory of 2412	2084	FiveM.exe	32
PID 2084 wrote to memory of 2412	2084	FiveM.exe	32

C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\temp.bat' -Verb RunAs -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\FiveM.exe
  "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new
    CitizenFX.exe.new -bootstrap "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
    3⤵
    - Executes dropped EXE
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main.bat

Filesize
556B

MD5
f225cc48602e5003d67679155841c917

SHA1
5f5d572f385155377f39086dcfcbc0a126dcc375

SHA256
73309641458311a723800f190f859e1a7c211b8b5d127ebcb1444f399faa1c34

SHA512
1bcfff70302146428aa0b2677c76f146d0b72404e64db4663ea203fdd68d6acac70fecfa9318cce33b1b9380fea77f18680b1435cf220ceb797b51eaa400787e

Download Submit
\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new

Filesize
5.0MB

MD5
b85b0aa54aec3edcb4ebac2c3a32bc26

SHA1
46b008cce9250dc2f96a1d1cb9b681ac4528866d

SHA256
75d805a8d5ec7281de40c9cbe31445a3ad0f0fe73852c55d06f4dcfefa4a9e4d

SHA512
f14fc451b5e954934521878e31b2231e154eccc380a68d6742531cba1edd5405ca307d29b244d8a703c87115c8393a26620f298dca1571e08e4aa11edf8744d9

Download Submit
\Users\Admin\AppData\Local\Temp\FiveM.exe

Filesize
5.0MB

MD5
e8c3fd1b35507fa301fac9367f28757f

SHA1
fd03919c9370248a62c9d540f6cd9fbeccac09f6

SHA256
05a99a0067ddde35a8b6c92721fc8ee058ffe1cee9a9dceb2bafb1a8e2d92368

SHA512
7f4f60aa0978a5f3f49cac744c11b6fe410cf32ec8dcd83fd6ad2120e9830b242b6f6a758c03ca76e8ffa800dbfec1b92f759c176f829f94492ed81e65befcdd

Download Submit