8028313f8ccc23c6cb1b07927d5e3a5e5aff66f36f2ce67be49cb96372722d76

General

Target

FiveMHackV2.exe
Size

26.2MB
MD5

0a80c7be4e77b4b2f9e580c26a0b5d13
SHA1

7525eaf2118d893c6a73fa5471f6adea4e75e164
SHA256

8028313f8ccc23c6cb1b07927d5e3a5e5aff66f36f2ce67be49cb96372722d76
SHA512

362cb3f5306cb978bc7d8e7240023c9f859a9907a07b03df4756ea48b02c0b68ddf751719b13027bd2447d9b2d1d598e210c744c4b4e1bcc11d9d17b783a1169
SSDEEP

786432:SKP9F8JjEdm7SJtWqwkd7q+XlR43OnDgUd4Z+c:P7qEdm7SHWqwGxXX43cDgUd4ZV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FiveMHackV2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FiveM Hack V1.exe

Executes dropped EXE 3 IoCs

pid	Process
4512	FiveM Hack V1.exe
3548	CheatEngine75.exe
5080	CheatEngine75.tmp

Loads dropped DLL 3 IoCs

pid	Process
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp
5080	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4512	116	FiveMHackV2.exe	83
PID 116 wrote to memory of 4512	116	FiveMHackV2.exe	83
PID 4512 wrote to memory of 3548	4512	FiveM Hack V1.exe	85
PID 4512 wrote to memory of 3548	4512	FiveM Hack V1.exe	85
PID 4512 wrote to memory of 3548	4512	FiveM Hack V1.exe	85
PID 3548 wrote to memory of 5080	3548	CheatEngine75.exe	86
PID 3548 wrote to memory of 5080	3548	CheatEngine75.exe	86
PID 3548 wrote to memory of 5080	3548	CheatEngine75.exe	86

C:\Users\Admin\AppData\Local\Temp\FiveMHackV2.exe
"C:\Users\Admin\AppData\Local\Temp\FiveMHackV2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\is-DUFIO.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DUFIO.tmp\CheatEngine75.tmp" /SL5="$5002E,2335682,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe

Filesize
25.9MB

MD5
ff96f2cc9bb0e983f2cc7507e4ef2ac9

SHA1
4bd152be16651f69db0df76e7af0024f9ebf28d5

SHA256
a09a8265d885b78ba09912dd4a5531ff1754989ed9424b8e33e0b1a404215e37

SHA512
bc5c0abfd7dc7bb0db83c2c1cd87f6514f9bf5da5ed7036e64d80baae97828d4417432128cf96a274bf359c0c8d267e77e48793f10deffd2aa6b62569136e863

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUFIO.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJNVB.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJNVB.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJNVB.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJNVB.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
memory/3548-30-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3548-62-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5080-56-0x00000000063A0000-0x00000000063AF000-memory.dmp

Filesize
60KB

Download
memory/5080-63-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/5080-64-0x00000000063A0000-0x00000000063AF000-memory.dmp

Filesize
60KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads