Analysis
-
max time kernel
24s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
Yonder_Fivem.exe
Resource
win10v2004-20240611-en
General
-
Target
Yonder_Fivem.exe
-
Size
6.3MB
-
MD5
b1c825266b3ba65293047125b6187839
-
SHA1
2717197678e400a693ca7c3a4eedf1fe7001382b
-
SHA256
f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1
-
SHA512
24830021254f1206775201f98fb0323dec02f947374a367c8d2f0c9c328b55fe492a36b0d2217ca41f1cdeb24152290501cef7b01dfb20e717db10f92952760e
-
SSDEEP
98304:gjWxDXRGFyZftzByQ6/Sw87AB3bq6p9OJmtgiBnuNfXWNasKo+oX2hsfBoj:gjWxFG2JByQ6/g01q6PiNiB6y97X2/j
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
yonder_fivem.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 624 yonder_fivem.exe 1108 icsys.icn.exe 4764 explorer.exe 3988 spoolsv.exe 4416 svchost.exe 1164 spoolsv.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exe vmprotect -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Yonder_Fivem.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Yonder_Fivem.exeicsys.icn.exepid process 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 1108 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4764 explorer.exe 4416 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3516 Yonder_Fivem.exe 3516 Yonder_Fivem.exe 1108 icsys.icn.exe 1108 icsys.icn.exe 4764 explorer.exe 4764 explorer.exe 3988 spoolsv.exe 3988 spoolsv.exe 4416 svchost.exe 4416 svchost.exe 1164 spoolsv.exe 1164 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3516 wrote to memory of 624 3516 Yonder_Fivem.exe yonder_fivem.exe PID 3516 wrote to memory of 624 3516 Yonder_Fivem.exe yonder_fivem.exe PID 3516 wrote to memory of 1108 3516 Yonder_Fivem.exe icsys.icn.exe PID 3516 wrote to memory of 1108 3516 Yonder_Fivem.exe icsys.icn.exe PID 3516 wrote to memory of 1108 3516 Yonder_Fivem.exe icsys.icn.exe PID 1108 wrote to memory of 4764 1108 icsys.icn.exe explorer.exe PID 1108 wrote to memory of 4764 1108 icsys.icn.exe explorer.exe PID 1108 wrote to memory of 4764 1108 icsys.icn.exe explorer.exe PID 4764 wrote to memory of 3988 4764 explorer.exe spoolsv.exe PID 4764 wrote to memory of 3988 4764 explorer.exe spoolsv.exe PID 4764 wrote to memory of 3988 4764 explorer.exe spoolsv.exe PID 3988 wrote to memory of 4416 3988 spoolsv.exe svchost.exe PID 3988 wrote to memory of 4416 3988 spoolsv.exe svchost.exe PID 3988 wrote to memory of 4416 3988 spoolsv.exe svchost.exe PID 4416 wrote to memory of 1164 4416 svchost.exe spoolsv.exe PID 4416 wrote to memory of 1164 4416 svchost.exe spoolsv.exe PID 4416 wrote to memory of 1164 4416 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\yonder_fivem.exec:\users\admin\appdata\local\temp\yonder_fivem.exe2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exeFilesize
6.2MB
MD5bc7128e9bc6cd871e9d2c287cd717d39
SHA1b19ac0afaa4d93f9469a4367056b62e9ba49f094
SHA256ed5b5ac658a134ad7f62d115510abca2850459b313d53e7d1742190a9ea60d14
SHA51212dc613eda0f0372bc40c3ce74c3b5dd5cb1bf01d43e6786f7a11c7b9d89171aad85c9b2a813072cfdc73e511d192cb60be8effebd3c1c35d60a2a5ed20dd349
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD542866e5ea7acc36cb48ba886a06e9e46
SHA13aaa45a2924d365b11f9debd0b0262e4c0503749
SHA2569e42f5b0e2ff8db9a64de6e687a18d524e806b449bffd5acfcdac791cb0deace
SHA5125005f8ea6f8fe29250a2364b7397e26cdffaf1b8015c6bf671283260bf9fb6dc4375c76eca6daa23da9064db195892dfa4c9a60001314d14c93cd7bc16bfc418
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5978ae55280e654a976ad5c783299bcab
SHA17c770eea670e19ee20ca85739f2ae7aa64df36b8
SHA25626060149b4d3fd2303a771485c20603006eca325afd8cae3ea50b70b680c3445
SHA512db674c677472b9d1f09747ee07ee111d9b346fd3d5a9f940fb07b7781d14a8a0a27a2bdca82a50929eb55dda9b83a437b5252313c071952eba2bbd2bcbe02b13
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD5fb09783eaee8c2b9b0a9b9c41aed5aef
SHA17fe12774c3e142c120b65dcd1939bf65b1217e4a
SHA256674966d4a6aeb839c7e5bc307a1d220551359be3f4b820f07cfa95e63645752b
SHA512ee9889c96496881509ab6fea21e887e2cc25b5509e05aaa4c2e00b029bf808ab3110ea28a3e7c808b6675d6de12142c92297b8bbefaef3d8301f528a96259e8b
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD589c364021fcd32409b1378c3abc825b4
SHA123c27df75ddfa3424fe4bf0cca542676472211bf
SHA2568cb2f946e41e145b3db1fe2c7cf157da1a9f983f80647c5e867572fca9ed65ea
SHA5120e546db0ff858c3bff8e0b4e9efe802cd083b304415fb9ccc82b7ebcb27a6b4ee3eedea4b5d6352cb42719f1a6550f41b1f69a64569cd89217c1aeefee7db1df
-
memory/1108-46-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1164-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3516-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3516-47-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3988-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4764-19-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB