Overview

overview

10

Static

static

3

MCG Server...er.exe

windows10-1703-x64

8

MCG Server...er.exe

windows7-x64

8

MCG Server...er.exe

windows10-1703-x64

8

MCG Server...er.exe

windows10-2004-x64

10

MCG Server...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    322s
  • max time network
    423s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/06/2024, 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MCG Server Launcher/MCG Server Launcher.exe

  • Size

    2.1MB

  • MD5

    3584a02b77f639b7d7fabe08797bb6eb

  • SHA1

    906e6a9044eae39ab17e60e28c4de5a9807c65b3

  • SHA256

    1c5c9ce6f9339eb57d39c35b166b5f64e8ea7f427d988aaa3a7d95ce81225e72

  • SHA512

    72942199d4ee6146055919de00a224ae90a08e0c5c58f9155a9beca7f986169bbcb8e09e59cae16e83e29e59521cbad77ccf958550abd92a4fbeb0db6e9a43a0

  • SSDEEP

    49152:j8mi6FoJtr7uht5r+LXKX6wZYKWHPo6lW9ssdrdjeN:j8mi6F4RujsLXmxMvnA91xeN

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\MCG Server Launcher\MCG Server Launcher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\temp.bat' -Verb RunAs -WindowStyle Hidden"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
    • C:\Users\Admin\AppData\Local\Temp\FiveM.exe
      "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new
        CitizenFX.exe.new -bootstrap "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Users\Admin\AppData\Local\Temp\FiveM.exe
          "C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3564
          • C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
            "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
            5⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Modifies registry class
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4400
            • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
              "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:1224 -parentpid:4400
              6⤵
              • Executes dropped EXE
              PID:4528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-2372\data\control\settings.meta.tmp
    Filesize

    37KB

    MD5

    3656c6636cd9dbceaf83230c3c9a2be9

    SHA1

    989f27c6736a943fd4690091fed26f7c17e3c17f

    SHA256

    f9ae094812ce9fbd56b58dab7739451792aba8f56c5f21eee15ef96682b413a6

    SHA512

    52bbb8f2b2d6183f30b908d9171a2ec8c2128bbce145b7af0095d4c199b1ec431d650ec4ed0b1b6cbc7bcc8d29da3285cdcc61368faa8c4e57b45315ced4e4ad

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-3095\data\control\settings.meta.tmp
    Filesize

    39KB

    MD5

    619814b8b98007c1698576b7e4efb3ec

    SHA1

    e60f3ceaf5ca78f74e6867f0b042951bffb91786

    SHA256

    71ad5591441d62d02d2b62155abcf2cab587af49b86e2db5be6729a5b39df5d1

    SHA512

    55ab0bd3c1750d63ad3304e63b7c26251f01c8994f385e5643e2bbd37fc6595fd0e9f5fc0d76aa655fe8ad3bc6fdee33248d9f4a76cce11a25d84c3f5de16236

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\release.txt
    Filesize

    6B

    MD5

    bc0d2ef702db446712420b39a4e92250

    SHA1

    fbf03c92c01bd42022829b761b2bc1f6f6ccc810

    SHA256

    0c7271249d4e34ef9ca98d5c3b622096a7f08568cc88336ac6c0a2d89953e35c

    SHA512

    5c03d84075574f4eeeac5eceff55f590d9ffb289e20ab8a904ec79a221fa105b0f07979c4bf295a7f4e4e1ad81a4c6e6ec4f851f0c80e0c678d710e37b5840d8

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\lua\natives_universal.lua.tmp
    Filesize

    1.8MB

    MD5

    559cc98140d4eff894bdf2b3f6ce2a73

    SHA1

    1665ac2284d16bcc1fdd319b023b1d12f1cad343

    SHA256

    dba50975b85ca95d0c41d10ff885c48576aa938731dd56c06af03f46d046e267

    SHA512

    d96ee466b2b7bd7e44a72fac7ddc624b8882252ae9fd1a07c0dad084113a93061551d0bad6b0898a1638d2688ee599dd84b050c14473807986b3e697511a6d66

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.d.ts.tmp
    Filesize

    2.1MB

    MD5

    c3d94830b2a220533e08ffcc9d44974f

    SHA1

    388ff56c07acfc78d22608406fdfc9d0467cd228

    SHA256

    30f48ffe2637e8f4fcebb8dbf30f6207923755336d8f5568ba578300b03a3418

    SHA512

    62464defcd58e956a7c2a98380a7b9397d19f93f9f3cc61d5fda0cf564becf41f6c5f89eaba9d516840f9f8a043a98e09226ee5193bd1e7ab0e5c3d6bf8ddc12

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.js.tmp
    Filesize

    1.9MB

    MD5

    681d1b756761d9c7409b072884a8edce

    SHA1

    08a14e48347f3bef0bd95aa66099b62b67fa07f4

    SHA256

    51f19f2031f8213ae5a2502b19bb8e60ce42d37da066704c41c1bc9d6f85d387

    SHA512

    9568f50550b8352cfff31ca36fd585b704145beda629421d337b803d0df35b8658ba2a4b9e3908c66d363a3414d989ec321da6f1e21ff1d48e92cabd393fab63

    Download Submit

  • C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini
    Filesize

    157B

    MD5

    f9d948aa9426cb1a2a82e651b81a1912

    SHA1

    2d496caeef3b0bff6b91b99e58736cea51366348

    SHA256

    b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

    SHA512

    a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CitizenFX.exe.new
    Filesize

    5.0MB

    MD5

    b85b0aa54aec3edcb4ebac2c3a32bc26

    SHA1

    46b008cce9250dc2f96a1d1cb9b681ac4528866d

    SHA256

    75d805a8d5ec7281de40c9cbe31445a3ad0f0fe73852c55d06f4dcfefa4a9e4d

    SHA512

    f14fc451b5e954934521878e31b2231e154eccc380a68d6742531cba1edd5405ca307d29b244d8a703c87115c8393a26620f298dca1571e08e4aa11edf8744d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\FiveM.exe
    Filesize

    5.0MB

    MD5

    e8c3fd1b35507fa301fac9367f28757f

    SHA1

    fd03919c9370248a62c9d540f6cd9fbeccac09f6

    SHA256

    05a99a0067ddde35a8b6c92721fc8ee058ffe1cee9a9dceb2bafb1a8e2d92368

    SHA512

    7f4f60aa0978a5f3f49cac744c11b6fe410cf32ec8dcd83fd6ad2120e9830b242b6f6a758c03ca76e8ffa800dbfec1b92f759c176f829f94492ed81e65befcdd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45f3v4tt.wbn.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\main.bat
    Filesize

    556B

    MD5

    f225cc48602e5003d67679155841c917

    SHA1

    5f5d572f385155377f39086dcfcbc0a126dcc375

    SHA256

    73309641458311a723800f190f859e1a7c211b8b5d127ebcb1444f399faa1c34

    SHA512

    1bcfff70302146428aa0b2677c76f146d0b72404e64db4663ea203fdd68d6acac70fecfa9318cce33b1b9380fea77f18680b1435cf220ceb797b51eaa400787e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk
    Filesize

    2KB

    MD5

    718b27d9ce850a9c504dd992ced60ddd

    SHA1

    8b27866ecc5c70dad60e5e278ca3226e85a10f8b

    SHA256

    1597738706589c4fe3163a3caca804d7d2415fa71f84f3f926bb3441a3943d94

    SHA512

    66f7c7d03bb0d8e315a4ad3e51db55d3c80c0af575d193dad5d0ea3fcb7adcd083f0111c13bc741138338b3e3f7b243cee8e0ed14fd36d082ddcdf5dc1b2555f

    Download Submit

  • memory/4996-15-0x0000000006F30000-0x0000000006F96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4996-53-0x0000000008F10000-0x0000000008FA4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/4996-54-0x0000000008C30000-0x0000000008C4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4996-55-0x0000000008CA0000-0x0000000008CC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4996-22-0x0000000007F00000-0x0000000007F76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4996-18-0x0000000007B60000-0x0000000007BAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4996-69-0x00000000094B0000-0x00000000099AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4996-17-0x0000000007650000-0x000000000766C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4996-16-0x0000000007740000-0x0000000007A90000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4996-14-0x0000000007680000-0x00000000076E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4996-13-0x0000000006D90000-0x0000000006DB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4996-12-0x0000000006FE0000-0x0000000007608000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4996-11-0x0000000004320000-0x0000000004356000-memory.dmp

    Filesize

    216KB

    Download