389bfa7307679a9875aa41351b942724964bc0ed4763c442d1288fe693782066

Analysis

max time kernel
95s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiveM.exe
Size

5.0MB
MD5

224e0e23fcd9128fee27d7adf59ebbfe
SHA1

55f31712dd634b7f7d8eb58c6b9d083e647d6440
SHA256

389bfa7307679a9875aa41351b942724964bc0ed4763c442d1288fe693782066
SHA512

0b25eff9decf27dd1a6c73c6a9d1928618a8c984444cd5cbdd755b3450a0eed34734bafe37ff5ff2aaaac2959e4e0eac6372f007ac407c5373b077f872a67bc7
SSDEEP

49152:AOjPW2NUtWyUPwxPcyxwj/IDZD2C+kFw7Djhjk1jeq/mEBjPyv5gxUlWjlP2lEiz:RV7IwjwlOIMgxSdWmBouwo5S6Pp

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini	FiveM.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2016	GameBarPresenceWriter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
5016	FiveM.exe
2404	FiveM_b2699_DumpServer

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Colors	FiveM.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FiveM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{ECD309CB-13ED-4DEF-A315-78608FF00DDC}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FiveM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{492ADEB1-852B-439D-9BF2-B0ED910E8329}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FiveM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FiveM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	FiveM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	FiveM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FiveM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5016	FiveM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5016	FiveM.exe
1924	OpenWith.exe
5016	FiveM.exe
5016	FiveM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 5016	2992	FiveM.exe	86
PID 2992 wrote to memory of 5016	2992	FiveM.exe	86
PID 5016 wrote to memory of 2404	5016	FiveM.exe	93
PID 5016 wrote to memory of 2404	5016	FiveM.exe	93

C:\Users\Admin\AppData\Local\Temp\FiveM.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\FiveM\FiveM.exe
  "C:\Users\Admin\AppData\Local\FiveM\FiveM.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer
    "C:\Users\Admin\AppData\Local\FiveM\FiveM.app\data\cache\subprocess\FiveM_b2699_DumpServer" -dumpserver:2080 -parentpid:5016
    3⤵
    - Executes dropped EXE
    PID:2404

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:2016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-2372\data\control\settings.meta.tmp

Filesize
37KB

MD5
3656c6636cd9dbceaf83230c3c9a2be9

SHA1
989f27c6736a943fd4690091fed26f7c17e3c17f

SHA256
f9ae094812ce9fbd56b58dab7739451792aba8f56c5f21eee15ef96682b413a6

SHA512
52bbb8f2b2d6183f30b908d9171a2ec8c2128bbce145b7af0095d4c199b1ec431d650ec4ed0b1b6cbc7bcc8d29da3285cdcc61368faa8c4e57b45315ced4e4ad

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\platform-3095\data\control\settings.meta.tmp

Filesize
39KB

MD5
619814b8b98007c1698576b7e4efb3ec

SHA1
e60f3ceaf5ca78f74e6867f0b042951bffb91786

SHA256
71ad5591441d62d02d2b62155abcf2cab587af49b86e2db5be6729a5b39df5d1

SHA512
55ab0bd3c1750d63ad3304e63b7c26251f01c8994f385e5643e2bbd37fc6595fd0e9f5fc0d76aa655fe8ad3bc6fdee33248d9f4a76cce11a25d84c3f5de16236

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\release.txt

Filesize
7B

MD5
2105377cf2fd8d6dceeec312e6dd4984

SHA1
e136ff96961e47e03045aa542f74e9ba5280c0f8

SHA256
904adfbbd7158008aa286d56c1f893e642aa288743cb84b7918bddce0ca46302

SHA512
ec1d800cf8b3e10f0aa41d4434ca7c2311904ab5704f46461e7638047545d6cb43d2e1ab0158f3c49b166e77fc76cb882e35a04f1502934cbd999596512c8744

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\lua\natives_universal.lua.tmp

Filesize
1.8MB

MD5
0cfa60d62ebd86f6ba3f8329b529cf29

SHA1
cdb6a4278331054d83b7887dc0d6a0af7399b2f1

SHA256
618d7ef81654a77fdcfc25db0d5aa67ac63fbe43af775da63eaafca73bd4ce78

SHA512
e796804155bd1c134ab8327ab0e48be8b967376514fad484d5eee93b97ae99755bc6ddb5ee39cce894373c1f4715d8bc83cff0ab0cfe826fa7f4b214f69fccaa

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.d.ts.tmp

Filesize
2.1MB

MD5
47a75a219b1c779915899d08f5971483

SHA1
010fae90809036240da97bf51fa26a880e5601ac

SHA256
4341fe6a59651ba92745603cb362d898dea90269e4417968b6b75ec699a1c080

SHA512
5942f59c9d86c8587eac38a527e84a8c9684ad4d0a2bd4e2e2143f8163c3173e83a01c22939a51fd851a62048068fb410d3ad1dd2816c676b82acd3d77b6d1b7

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\citizen\scripting\v8\natives_universal.js.tmp

Filesize
2.0MB

MD5
20829671f1e2f018d647ff1e29996b71

SHA1
b53f653fe8f2993fa7cf6c11ff01e9ed07aec64b

SHA256
9154c90413ee029d1efe9557f7f692414a2edfb240f8a9ed81202e23f32228b6

SHA512
43e25477e94936a3d181fded9222b243d02e875a7362016a56b4ff36bb03122f53ecd188a1a617abdb45b6c2a10247ed3da8fbe8a5d0c91ad22174e597657193

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

Filesize
83B

MD5
eeb7d52c2a25022ea8e6fdd84b490968

SHA1
ac615808df874379439510643f1b68958951dcfa

SHA256
8dbad4b058e6e6e2d8b119f55e84b8eabfc074c80995e1c1b6b1a5731fd1f3c8

SHA512
1ccd684842f249bb3acae4cf1057cbea27852a34c39123cc7a3b6d64604984cee6a0edea164b6284e843c52e39e1da3129102fc4ba1104658cddf3999af6d197

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.app\desktop.ini

Filesize
157B

MD5
f9d948aa9426cb1a2a82e651b81a1912

SHA1
2d496caeef3b0bff6b91b99e58736cea51366348

SHA256
b1fe21f251cf7875783ea162ef86c2a5b5022a1c5157bbb7972b6b34e14ec08a

SHA512
a962fae3853f43e4a8e2b33aa5f51a917673d76648845dffcc32037c25cb3f300e4c4fc3ea633bf78b714449dbda84416e41cc16256373c170fb82d8485e3369

Download Submit
C:\Users\Admin\AppData\Local\FiveM\FiveM.exe

Filesize
5.0MB

MD5
224e0e23fcd9128fee27d7adf59ebbfe

SHA1
55f31712dd634b7f7d8eb58c6b9d083e647d6440

SHA256
389bfa7307679a9875aa41351b942724964bc0ed4763c442d1288fe693782066

SHA512
0b25eff9decf27dd1a6c73c6a9d1928618a8c984444cd5cbdd755b3450a0eed34734bafe37ff5ff2aaaac2959e4e0eac6372f007ac407c5373b077f872a67bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FiveM.lnk

Filesize
2KB

MD5
ded6ef4188b0968d986b1e272b4905bd

SHA1
ced2f6d06e8ec41dcec89a018a02a3d191ede6c9

SHA256
bb984fe4a698cb67261efa277882a66ad76f1fc2821dd4386b5584a05c8f6286

SHA512
4c7d4e60b291c9d73d8330abb433471057940f5853ed0a7509753b688ba75c08d25f66aa4c116a50298fa7d33c5e1f34247a83908346c1baf1f64d0ae8cd6df7

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit