Analysis
-
max time kernel
91s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
04/09/2024, 19:23
General
-
Target
BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].exe
-
Size
1.6MB
-
MD5
a9abf00ce30f27651471a0157dc85cb1
-
SHA1
a38acd8e95799662cafd32b30c97246ef872e528
-
SHA256
5f83b044723917d7a5beffeea89be7044282cfdcf4950acf89c338ed1e023b4c
-
SHA512
8ce0adab29d902b9075d22a717942ed3a7e5bb31ce8770eec7d925168c4d65edceabbcaad11fd8fbd35a47627009598d999676a7f4a6883610f658a0647d9dc9
-
SSDEEP
24576:gawwKusHwEwS2UGqKKUzO6I6h6gEGe/NIsWvMyCShxDo:wwREDcEShv2NuMsDo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].exe"C:\Users\Admin\AppData\Local\Temp\BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IK6G5.tmp\BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].tmp"C:\Users\Admin\AppData\Local\Temp\is-IK6G5.tmp\BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].tmp" /SL5="$60168,865850,776192,C:\Users\Admin\AppData\Local\Temp\BEST_TWEAK_File_For_FiveM_GTAV_Max_Performance[1].exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://scalevest.icu/tracker/thank_you.php?trk=27703⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe29d63cb8,0x7ffe29d63cc8,0x7ffe29d63cd84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,8831462030210147469,9603252837000754905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD5288aaf5ece9b9bc585d58ef32bf7e262
SHA1b10a372a699cbd1fdd1a3dbf5879674d5d223503
SHA25696a9b4943374da80d27a44ae42de66709d814c5128ba640315bcc86026d98436
SHA512a6469361653a2e0f64991b2a6db62989d3c41cb0fc9415d2b3f548fbd53a7a25b098e5c2fb0cf8bd2e014be1327f4061a69444c6ea2860b3a40f276651eb9fcf
-
Filesize
170B
MD531c9feb2b5c3aeedd3917fc88fef4982
SHA1a3a28be13418a5d719e66d6cccaafc942702a67e
SHA2563338f926adac4e775307d3e3c028723fa31b7f9c036a6d2fd0426e8f50d63ba5
SHA512e0666d368cbc3fab687dd97c7aa51ee23b1fccdd77cb68c256375764759d2b67ea5a50ea8e035666760a2589d7cc87efe2f3dc81f37b1176477aadcd81e7ab32
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
555B
MD50169ffe4bd2c980e4994c23a33bc4fd5
SHA14481b3a742e4e7558f24cacdba79d88e0b2a0d0e
SHA2561a1757a8f43857975931198a84f4f06dd394d0fd9e8b8d18ed8a519d3604e8ab
SHA5124f2ef7e86f836df47b255225ffae6c9ea08b61821ef9df669ca8e86733dec81a579e07232146efe0865a80e5463fc172a3bff592d25f78d8d667bba729495f20
-
Filesize
5KB
MD55a71403a42021c9fe051d8b811337d80
SHA156b0cf4db26c9c55f76ce1c6563a7a6c235174ec
SHA2562c252c8b451f904c7b3a0d1c7ca3d65127f2d6d802c2f85e624e79981015d401
SHA51233c2fd56bbab20b1f1c7dab3b0f33daaae85c8534db21f3a0acbc4d67c4211f80284a0ecaa7a9fe791607c1f850f9245af085e3121d752df562f27206a430ba5
-
Filesize
6KB
MD549b06f493309cf8cc5734887570f4d36
SHA173bdbc35ee459641959d2c0789d75b7019c2c9d6
SHA256b99fac02b6f8ff50267031d1d48c8d06aa350062f8ec1f87d5fe7d9f1deb3006
SHA512084ffd7d9894f6bc414435304e8d6e7eb201aa13958c51f5ff3d716b78ebdd96a8e64663441731dfd3e0f677d97887a3cf3a4391eaaa256a06f6341800f03be2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD55f5872da52c63a585025f93a68664455
SHA1a11a04a8736a4b62cb7334924957ec11fece161a
SHA256b524c17a06f04df511c4a846cf7859eaa691397cfd523cb2ad855ae8a1865abb
SHA51275a0c3b0fbc3b6a5199246a11d6f369527037fc8ebc92e921ecf9975dc519fc373e053ed3e2c8a6c26587bf58a332cde52d95d6f2d4692ee4a168a53b28943c2
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
3.0MB
MD542f184e26201d6fe387217da497c1d07
SHA1244c5b214657e5b7d80291357a81011e7f97ed83
SHA256b538e61667ccd26ae715ac704ee97725d472a37adb1709bb474e60a3d039f24a
SHA5128c160fe5b3051806fdbb33c5efab43f4f963f5cb54f560554a9f6026ed9c51a9d138484e21b355bd9c5c7f28be65bed3ec991fa49813920e349b66d77de90638
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
812KB
-
Filesize
812KB
-
Filesize
672KB