f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1

General

Target

Yonder_Fivem.exe
Size

6.3MB
MD5

b1c825266b3ba65293047125b6187839
SHA1

2717197678e400a693ca7c3a4eedf1fe7001382b
SHA256

f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1
SHA512

24830021254f1206775201f98fb0323dec02f947374a367c8d2f0c9c328b55fe492a36b0d2217ca41f1cdeb24152290501cef7b01dfb20e717db10f92952760e
SSDEEP

98304:gjWxDXRGFyZftzByQ6/Sw87AB3bq6p9OJmtgiBnuNfXWNasKo+oX2hsfBoj:gjWxFG2JByQ6/g01q6PiNiB6y97X2/j

Score

10^/10

evasion persistence vmprotect

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

yonder_fivem.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2124 yonder_fivem.exe
2912 icsys.icn.exe
2804 explorer.exe
2640 spoolsv.exe
2832 svchost.exe
2984 spoolsv.exe
Loads dropped DLL 7 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

2240 Yonder_Fivem.exe
2240 Yonder_Fivem.exe
2884
2912 icsys.icn.exe
2804 explorer.exe
2640 spoolsv.exe
2832 svchost.exe

pid	process
2124	yonder_fivem.exe
2912	icsys.icn.exe
2804	explorer.exe
2640	spoolsv.exe
2832	svchost.exe
2984	spoolsv.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\yonder_fivem.exe	vmprotect

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Yonder_Fivem.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2292 schtasks.exe
2764 schtasks.exe
1360 schtasks.exe

pid	process
2292	schtasks.exe
2764	schtasks.exe
1360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2804 explorer.exe
2832 svchost.exe

pid	process
2804	explorer.exe
2832	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2240	Yonder_Fivem.exe
2240	Yonder_Fivem.exe
2912	icsys.icn.exe
2912	icsys.icn.exe
2804	explorer.exe
2804	explorer.exe
2640	spoolsv.exe
2640	spoolsv.exe
2832	svchost.exe
2832	svchost.exe
2984	spoolsv.exe
2984	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2240 wrote to memory of 2124	2240	Yonder_Fivem.exe	yonder_fivem.exe
PID 2240 wrote to memory of 2124	2240	Yonder_Fivem.exe	yonder_fivem.exe
PID 2240 wrote to memory of 2124	2240	Yonder_Fivem.exe	yonder_fivem.exe
PID 2240 wrote to memory of 2124	2240	Yonder_Fivem.exe	yonder_fivem.exe
PID 2240 wrote to memory of 2912	2240	Yonder_Fivem.exe	icsys.icn.exe
PID 2240 wrote to memory of 2912	2240	Yonder_Fivem.exe	icsys.icn.exe
PID 2240 wrote to memory of 2912	2240	Yonder_Fivem.exe	icsys.icn.exe
PID 2240 wrote to memory of 2912	2240	Yonder_Fivem.exe	icsys.icn.exe
PID 2912 wrote to memory of 2804	2912	icsys.icn.exe	explorer.exe
PID 2912 wrote to memory of 2804	2912	icsys.icn.exe	explorer.exe
PID 2912 wrote to memory of 2804	2912	icsys.icn.exe	explorer.exe
PID 2912 wrote to memory of 2804	2912	icsys.icn.exe	explorer.exe
PID 2804 wrote to memory of 2640	2804	explorer.exe	spoolsv.exe
PID 2804 wrote to memory of 2640	2804	explorer.exe	spoolsv.exe
PID 2804 wrote to memory of 2640	2804	explorer.exe	spoolsv.exe
PID 2804 wrote to memory of 2640	2804	explorer.exe	spoolsv.exe
PID 2640 wrote to memory of 2832	2640	spoolsv.exe	svchost.exe
PID 2640 wrote to memory of 2832	2640	spoolsv.exe	svchost.exe
PID 2640 wrote to memory of 2832	2640	spoolsv.exe	svchost.exe
PID 2640 wrote to memory of 2832	2640	spoolsv.exe	svchost.exe
PID 2832 wrote to memory of 2984	2832	svchost.exe	spoolsv.exe
PID 2832 wrote to memory of 2984	2832	svchost.exe	spoolsv.exe
PID 2832 wrote to memory of 2984	2832	svchost.exe	spoolsv.exe
PID 2832 wrote to memory of 2984	2832	svchost.exe	spoolsv.exe
PID 2804 wrote to memory of 2756	2804	explorer.exe	Explorer.exe
PID 2804 wrote to memory of 2756	2804	explorer.exe	Explorer.exe
PID 2804 wrote to memory of 2756	2804	explorer.exe	Explorer.exe
PID 2804 wrote to memory of 2756	2804	explorer.exe	Explorer.exe
PID 2832 wrote to memory of 2764	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2764	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2764	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2764	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 1360	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 1360	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 1360	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 1360	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2292	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2292	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2292	2832	svchost.exe	schtasks.exe
PID 2832 wrote to memory of 2292	2832	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe
"C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

\??\c:\users\admin\appdata\local\temp\yonder_fivem.exe
c:\users\admin\appdata\local\temp\yonder_fivem.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:08 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:09 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:10 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2756

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
978ae55280e654a976ad5c783299bcab

SHA1
7c770eea670e19ee20ca85739f2ae7aa64df36b8

SHA256
26060149b4d3fd2303a771485c20603006eca325afd8cae3ea50b70b680c3445

SHA512
db674c677472b9d1f09747ee07ee111d9b346fd3d5a9f940fb07b7781d14a8a0a27a2bdca82a50929eb55dda9b83a437b5252313c071952eba2bbd2bcbe02b13

Download Submit
\Users\Admin\AppData\Local\Temp\yonder_fivem.exe
Filesize
6.2MB

MD5
bc7128e9bc6cd871e9d2c287cd717d39

SHA1
b19ac0afaa4d93f9469a4367056b62e9ba49f094

SHA256
ed5b5ac658a134ad7f62d115510abca2850459b313d53e7d1742190a9ea60d14

SHA512
12dc613eda0f0372bc40c3ce74c3b5dd5cb1bf01d43e6786f7a11c7b9d89171aad85c9b2a813072cfdc73e511d192cb60be8effebd3c1c35d60a2a5ed20dd349

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
96e8c6f18c0627dc1bd40cb06444730c

SHA1
bb0ceff7cd4de1cc27f29ed33ef34cf4428169a5

SHA256
1b57004835ef5d976169750b120f0bd60de7a85ea2ea150e7e8356e1d23dcf7d

SHA512
b0cf7815ff27786f6b659a3e60f0a1e7058cc17d39f9d9a686449b115b507ab2be77485b4bc6882b62d153062f690cf141643d75f121a58a440ec9326cde98a8

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
72de4414dd12cedf85ed49a170c7352f

SHA1
6de5fb92277b332e3f1d3fa31c9af3d808feebe0

SHA256
d7659c773acfc75804a8b25aaf22513b3b27e895127bb4f5b7a687f74e79d200

SHA512
6cb8bbd478d7d076634c0b8d8db132fcec810eb0a3cd837d7ebc181711df63246354f1ffcba0277d81c03149af2a4722ece7977b3027873ecf27730aee669770

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
58831f17468bd441f247e4902e244203

SHA1
9cefa8dacccf9971fa6199c90945a25166768393

SHA256
bfde6cc23b6945867db240c59319af4f2da4b62a5693ab0bb3b0d833939c34b8

SHA512
761e2d587b4dc0026964a76a4339e7c3da39f2449b1d834dff434c9d9d8da2c61415fa7c99ed4b5e8401a717837e896b2bc3a5b3b80a31677641e16f63a465c3

Download Submit
memory/2240-13-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2240-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2240-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-46-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2832-53-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/2912-23-0x0000000000350000-0x000000000036F000-memory.dmp

Filesize
124KB

Download
memory/2912-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads