f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1

General

Target

Yonder_Fivem.exe
Size

6.3MB
MD5

b1c825266b3ba65293047125b6187839
SHA1

2717197678e400a693ca7c3a4eedf1fe7001382b
SHA256

f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1
SHA512

24830021254f1206775201f98fb0323dec02f947374a367c8d2f0c9c328b55fe492a36b0d2217ca41f1cdeb24152290501cef7b01dfb20e717db10f92952760e
SSDEEP

98304:gjWxDXRGFyZftzByQ6/Sw87AB3bq6p9OJmtgiBnuNfXWNasKo+oX2hsfBoj:gjWxFG2JByQ6/g01q6PiNiB6y97X2/j

Score

10^/10

evasion persistence vmprotect

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

yonder_fivem.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

624 yonder_fivem.exe
1108 icsys.icn.exe
4764 explorer.exe
3988 spoolsv.exe
4416 svchost.exe
1164 spoolsv.exe

pid	process
624	yonder_fivem.exe
1108	icsys.icn.exe
4764	explorer.exe
3988	spoolsv.exe
4416	svchost.exe
1164	spoolsv.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exe	vmprotect

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Yonder_Fivem.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exe

pid	process
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
1108	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4764 explorer.exe
4416 svchost.exe

pid	process
4764	explorer.exe
4416	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3516	Yonder_Fivem.exe
3516	Yonder_Fivem.exe
1108	icsys.icn.exe
1108	icsys.icn.exe
4764	explorer.exe
4764	explorer.exe
3988	spoolsv.exe
3988	spoolsv.exe
4416	svchost.exe
4416	svchost.exe
1164	spoolsv.exe
1164	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3516 wrote to memory of 624	3516	Yonder_Fivem.exe	yonder_fivem.exe
PID 3516 wrote to memory of 624	3516	Yonder_Fivem.exe	yonder_fivem.exe
PID 3516 wrote to memory of 1108	3516	Yonder_Fivem.exe	icsys.icn.exe
PID 3516 wrote to memory of 1108	3516	Yonder_Fivem.exe	icsys.icn.exe
PID 3516 wrote to memory of 1108	3516	Yonder_Fivem.exe	icsys.icn.exe
PID 1108 wrote to memory of 4764	1108	icsys.icn.exe	explorer.exe
PID 1108 wrote to memory of 4764	1108	icsys.icn.exe	explorer.exe
PID 1108 wrote to memory of 4764	1108	icsys.icn.exe	explorer.exe
PID 4764 wrote to memory of 3988	4764	explorer.exe	spoolsv.exe
PID 4764 wrote to memory of 3988	4764	explorer.exe	spoolsv.exe
PID 4764 wrote to memory of 3988	4764	explorer.exe	spoolsv.exe
PID 3988 wrote to memory of 4416	3988	spoolsv.exe	svchost.exe
PID 3988 wrote to memory of 4416	3988	spoolsv.exe	svchost.exe
PID 3988 wrote to memory of 4416	3988	spoolsv.exe	svchost.exe
PID 4416 wrote to memory of 1164	4416	svchost.exe	spoolsv.exe
PID 4416 wrote to memory of 1164	4416	svchost.exe	spoolsv.exe
PID 4416 wrote to memory of 1164	4416	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe
"C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

\??\c:\users\admin\appdata\local\temp\yonder_fivem.exe
c:\users\admin\appdata\local\temp\yonder_fivem.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exe
Filesize
6.2MB

MD5
bc7128e9bc6cd871e9d2c287cd717d39

SHA1
b19ac0afaa4d93f9469a4367056b62e9ba49f094

SHA256
ed5b5ac658a134ad7f62d115510abca2850459b313d53e7d1742190a9ea60d14

SHA512
12dc613eda0f0372bc40c3ce74c3b5dd5cb1bf01d43e6786f7a11c7b9d89171aad85c9b2a813072cfdc73e511d192cb60be8effebd3c1c35d60a2a5ed20dd349

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
42866e5ea7acc36cb48ba886a06e9e46

SHA1
3aaa45a2924d365b11f9debd0b0262e4c0503749

SHA256
9e42f5b0e2ff8db9a64de6e687a18d524e806b449bffd5acfcdac791cb0deace

SHA512
5005f8ea6f8fe29250a2364b7397e26cdffaf1b8015c6bf671283260bf9fb6dc4375c76eca6daa23da9064db195892dfa4c9a60001314d14c93cd7bc16bfc418

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
978ae55280e654a976ad5c783299bcab

SHA1
7c770eea670e19ee20ca85739f2ae7aa64df36b8

SHA256
26060149b4d3fd2303a771485c20603006eca325afd8cae3ea50b70b680c3445

SHA512
db674c677472b9d1f09747ee07ee111d9b346fd3d5a9f940fb07b7781d14a8a0a27a2bdca82a50929eb55dda9b83a437b5252313c071952eba2bbd2bcbe02b13

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fb09783eaee8c2b9b0a9b9c41aed5aef

SHA1
7fe12774c3e142c120b65dcd1939bf65b1217e4a

SHA256
674966d4a6aeb839c7e5bc307a1d220551359be3f4b820f07cfa95e63645752b

SHA512
ee9889c96496881509ab6fea21e887e2cc25b5509e05aaa4c2e00b029bf808ab3110ea28a3e7c808b6675d6de12142c92297b8bbefaef3d8301f528a96259e8b

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
89c364021fcd32409b1378c3abc825b4

SHA1
23c27df75ddfa3424fe4bf0cca542676472211bf

SHA256
8cb2f946e41e145b3db1fe2c7cf157da1a9f983f80647c5e867572fca9ed65ea

SHA512
0e546db0ff858c3bff8e0b4e9efe802cd083b304415fb9ccc82b7ebcb27a6b4ee3eedea4b5d6352cb42719f1a6550f41b1f69a64569cd89217c1aeefee7db1df

Download Submit
memory/1108-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3988-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads