Overview

overview

10

Static

static

3

Yonder_Fivem.exe

windows7-x64

10

Yonder_Fivem.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Yonder_Fivem.exe

  • Size

    6.3MB

  • MD5

    b1c825266b3ba65293047125b6187839

  • SHA1

    2717197678e400a693ca7c3a4eedf1fe7001382b

  • SHA256

    f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1

  • SHA512

    24830021254f1206775201f98fb0323dec02f947374a367c8d2f0c9c328b55fe492a36b0d2217ca41f1cdeb24152290501cef7b01dfb20e717db10f92952760e

  • SSDEEP

    98304:gjWxDXRGFyZftzByQ6/Sw87AB3bq6p9OJmtgiBnuNfXWNasKo+oX2hsfBoj:gjWxFG2JByQ6/g01q6PiNiB6y97X2/j

Score
10/10
evasionpersistencevmprotect

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe
    "C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1936
    • \??\c:\users\admin\appdata\local\temp\yonder_fivem.exe 
      c:\users\admin\appdata\local\temp\yonder_fivem.exe 
      2⤵
      • Executes dropped EXE
      PID:2288
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2612
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2756
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1648
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2496
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:39 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2488
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:40 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2564
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:41 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:852
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      20d124fa6f69c163b5a7ee848482ce33

      SHA1

      b0a32ad907c9f7c5ff676933932d917182779bc7

      SHA256

      4c43aeea0ec6b6662018a44797cf5fc9c7523a1cb857eece6c29f3ad7163e3b7

      SHA512

      7f94965f094ebbbfbd87e7bf4a806588b4a44f0a5572b809b3bcfd05071755cef8a3d81f8100cfdd7c5ad02b8a7a48a564dbd6c23c750c9f38ef70ff2ac4aff2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\yonder_fivem.exe 
      Filesize

      6.2MB

      MD5

      bc7128e9bc6cd871e9d2c287cd717d39

      SHA1

      b19ac0afaa4d93f9469a4367056b62e9ba49f094

      SHA256

      ed5b5ac658a134ad7f62d115510abca2850459b313d53e7d1742190a9ea60d14

      SHA512

      12dc613eda0f0372bc40c3ce74c3b5dd5cb1bf01d43e6786f7a11c7b9d89171aad85c9b2a813072cfdc73e511d192cb60be8effebd3c1c35d60a2a5ed20dd349

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      978ae55280e654a976ad5c783299bcab

      SHA1

      7c770eea670e19ee20ca85739f2ae7aa64df36b8

      SHA256

      26060149b4d3fd2303a771485c20603006eca325afd8cae3ea50b70b680c3445

      SHA512

      db674c677472b9d1f09747ee07ee111d9b346fd3d5a9f940fb07b7781d14a8a0a27a2bdca82a50929eb55dda9b83a437b5252313c071952eba2bbd2bcbe02b13

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      cc51ae791e5c7fffafd4b1d7e63239fa

      SHA1

      56655a77e4f82a529edbe5973bc61eae1cfca0fd

      SHA256

      287536759a2ec50c08a40495db09ce32f6a47872ee7b92046a3b977436787550

      SHA512

      eeb5a97e0f6e66ef659c31518f948e779b5298c468313283227b68811ee9d768832c40bf4dc4a3403ec87facbd7f6474d344ecfe64fa502fff352b272b89f8a9

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      6ca1ddff12a5b369b5bb7777bf5f3a15

      SHA1

      042935c9f54346af5f052f1ed53f44ff496d26d9

      SHA256

      f410244217721e11e58e4520eab71cd3fe216ad896a57310643e605b75744ae8

      SHA512

      616042d9b2132c38141424f8ccac49d0d033218846abee4a68f0fa04240cd9b2a5776e12d1227dd1a47f02e7222847d7a0d8b0a1a2a7b67d396f0b1d5d86ed5a

      Download Submit

    • memory/1648-52-0x0000000000310000-0x000000000032F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1936-14-0x0000000000280000-0x000000000029F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1936-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1936-60-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2120-59-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2496-57-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2612-37-0x00000000003A0000-0x00000000003BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2756-38-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2756-58-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download