Analysis
-
max time kernel
62s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
BYPASSFIVEM.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
BYPASSFIVEM.exe
-
Size
10.1MB
-
MD5
00f035f6802cc6f8585bd8df90f21ee7
-
SHA1
00d12acd567db0dc9d17828a2033addd2ec66b35
-
SHA256
e973c49e3f5647060a56041e0a9f7378063a02e3c8728d1d102461278a98c00f
-
SHA512
dc1f98a2553423739f2e272df80383c973fc902dabaa6f423b5bfd4453dd1c1c9b3333392092941ace78cc09a67f8adf165c8ada1809e331f514aaf5c0fcd085
-
SSDEEP
196608:AqwLHNz/d34jLu1HTOnfOCgPtUCGQ8hfNC1GA+MHJx2QfxfLyflipARuHCQ:K1/1hJ/CgPaxQ8hfg1B+W9fLyOBiQ
Malware Config
Extracted
njrat
0.7d
ducservice
hakim32.ddns.net:2000
45.141.26.194:1337
3f7251b9b8c5afa092adc8657b97c1c2
-
reg_key
3f7251b9b8c5afa092adc8657b97c1c2
-
splitter
|'|'|
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BYPASSFIVEM.exeNewX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation BYPASSFIVEM.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation NewX.exe -
Executes dropped EXE 4 IoCs
Processes:
NewX.vmp.exeNewX.exeducservice.exeServer.exepid process 4984 NewX.vmp.exe 868 NewX.exe 2120 ducservice.exe 3344 Server.exe -
Loads dropped DLL 1 IoCs
Processes:
NewX.vmp.exepid process 4984 NewX.vmp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe upx behavioral1/memory/868-81-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe vmprotect behavioral1/memory/4984-28-0x0000000000400000-0x00000000020DA000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ducservice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ducservice = "C:\\Users\\Admin\\AppData\\Roaming\\ducservice.exe" ducservice.exe -
Drops file in System32 directory 64 IoCs
Processes:
NewX.vmp.exedescription ioc process File opened for modification C:\Windows\System32\psapi.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll NewX.vmp.exe File opened for modification C:\Windows\system32\rsaenh.dll NewX.vmp.exe File opened for modification C:\Windows\System32\Windows.StateRepositoryPS.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll NewX.vmp.exe File opened for modification C:\Windows\System32\comdlg32.dll NewX.vmp.exe File opened for modification C:\Windows\System32\shcore.dll NewX.vmp.exe File opened for modification C:\Windows\System32\shlwapi.dll NewX.vmp.exe File opened for modification C:\Windows\System32\appresolver.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll NewX.vmp.exe File opened for modification C:\Windows\system32\riched20.dll NewX.vmp.exe File opened for modification C:\Windows\System32\ADVAPI32.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\msls31.dll NewX.vmp.exe File opened for modification C:\Windows\System32\Bcp47Langs.dll NewX.vmp.exe File opened for modification C:\Windows\System32\msvcrt.dll NewX.vmp.exe File opened for modification C:\Windows\System32\ws2_32.dll NewX.vmp.exe File opened for modification C:\Windows\system32\shfolder.dll NewX.vmp.exe File opened for modification C:\Windows\System32\SLC.dll NewX.vmp.exe File opened for modification C:\Windows\system32\version.dll NewX.vmp.exe File opened for modification C:\Windows\System32\CoreMessaging.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\edputil.dll NewX.vmp.exe File opened for modification C:\Windows\System32\imm32.dll NewX.vmp.exe File opened for modification C:\Windows\System32\OLEAUT32.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\WindowsCodecs.dll NewX.vmp.exe File opened for modification C:\Windows\System32\WS2_32.dll NewX.vmp.exe File opened for modification C:\Windows\System32\SETUPAPI.dll NewX.vmp.exe File opened for modification C:\Windows\System32\KERNEL32.DLL NewX.vmp.exe File opened for modification C:\Windows\System32\advapi32.dll NewX.vmp.exe File opened for modification C:\Windows\System32\ole32.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\ntmarta.dll NewX.vmp.exe File opened for modification C:\Windows\System32\OneCoreUAPCommonProxyStub.dll NewX.vmp.exe File opened for modification C:\Windows\System32\user32.dll NewX.vmp.exe File opened for modification C:\Windows\system32\UXTheme.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\USP10.dll NewX.vmp.exe File opened for modification C:\Windows\System32\msvcp_win.dll NewX.vmp.exe File opened for modification C:\Windows\System32\imagehlp.dll NewX.vmp.exe File opened for modification C:\Windows\System32\IMM32.DLL NewX.vmp.exe File opened for modification C:\Windows\System32\ucrtbase.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll NewX.vmp.exe File opened for modification C:\Windows\System32\USERENV.dll NewX.vmp.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll NewX.vmp.exe File opened for modification C:\Windows\System32\CoreUIComponents.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\srvcli.dll NewX.vmp.exe File opened for modification C:\Windows\System32\sppc.dll NewX.vmp.exe File opened for modification C:\Windows\System32\gdi32full.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\WTSAPI32.dll NewX.vmp.exe File opened for modification C:\Windows\system32\dwmapi.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\textinputframework.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\pcacli.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\MPR.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll NewX.vmp.exe File opened for modification C:\Windows\system32\sfc_os.dll NewX.vmp.exe File opened for modification C:\Windows\System32\bcrypt.dll NewX.vmp.exe File opened for modification C:\Windows\System32\clbcatq.dll NewX.vmp.exe File opened for modification C:\Windows\System32\MSCTF.dll NewX.vmp.exe File opened for modification C:\Windows\System32\SHLWAPI.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\netutils.dll NewX.vmp.exe File opened for modification C:\Windows\System32\KERNELBASE.dll NewX.vmp.exe File opened for modification C:\Windows\SYSTEM32\apphelp.dll NewX.vmp.exe File opened for modification C:\Windows\System32\RPCRT4.dll NewX.vmp.exe File opened for modification C:\Windows\System32\USER32.dll NewX.vmp.exe -
Drops file in Program Files directory 1 IoCs
Processes:
NewX.vmp.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll NewX.vmp.exe -
Drops file in Windows directory 3 IoCs
Processes:
NewX.vmp.exedescription ioc process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll NewX.vmp.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1288_none_91a663c8cc864906\gdiplus.dll NewX.vmp.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\COMCTL32.dll NewX.vmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
NewX.vmp.exepid process 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe 4984 NewX.vmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NewX.vmp.exepid process 4984 NewX.vmp.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
NewX.vmp.exedescription pid process Token: SeDebugPrivilege 4984 NewX.vmp.exe Token: SeTcbPrivilege 4984 NewX.vmp.exe Token: SeTcbPrivilege 4984 NewX.vmp.exe Token: SeLoadDriverPrivilege 4984 NewX.vmp.exe Token: SeCreateGlobalPrivilege 4984 NewX.vmp.exe Token: SeLockMemoryPrivilege 4984 NewX.vmp.exe Token: 33 4984 NewX.vmp.exe Token: SeSecurityPrivilege 4984 NewX.vmp.exe Token: SeTakeOwnershipPrivilege 4984 NewX.vmp.exe Token: SeManageVolumePrivilege 4984 NewX.vmp.exe Token: SeBackupPrivilege 4984 NewX.vmp.exe Token: SeCreatePagefilePrivilege 4984 NewX.vmp.exe Token: SeShutdownPrivilege 4984 NewX.vmp.exe Token: SeRestorePrivilege 4984 NewX.vmp.exe Token: 33 4984 NewX.vmp.exe Token: SeIncBasePriorityPrivilege 4984 NewX.vmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NewX.vmp.exepid process 4984 NewX.vmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
NewX.vmp.exeLogonUI.exepid process 4984 NewX.vmp.exe 1956 LogonUI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
BYPASSFIVEM.exeNewX.exedescription pid process target process PID 4448 wrote to memory of 4984 4448 BYPASSFIVEM.exe NewX.vmp.exe PID 4448 wrote to memory of 4984 4448 BYPASSFIVEM.exe NewX.vmp.exe PID 4448 wrote to memory of 868 4448 BYPASSFIVEM.exe NewX.exe PID 4448 wrote to memory of 868 4448 BYPASSFIVEM.exe NewX.exe PID 4448 wrote to memory of 868 4448 BYPASSFIVEM.exe NewX.exe PID 868 wrote to memory of 2120 868 NewX.exe ducservice.exe PID 868 wrote to memory of 2120 868 NewX.exe ducservice.exe PID 868 wrote to memory of 2120 868 NewX.exe ducservice.exe PID 4448 wrote to memory of 3344 4448 BYPASSFIVEM.exe Server.exe PID 4448 wrote to memory of 3344 4448 BYPASSFIVEM.exe Server.exe PID 4448 wrote to memory of 3344 4448 BYPASSFIVEM.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BYPASSFIVEM.exe"C:\Users\Admin\AppData\Local\Temp\BYPASSFIVEM.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ducservice.exe"C:\Users\Admin\AppData\Roaming\ducservice.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.exeFilesize
18KB
MD504e8a7b1a3a658cb5d8041542195075a
SHA122bf6e551c2c0279d2d0bc41a68f378c71b2d8f0
SHA2560288572315915db261182f65784eb05ffdc4edb9774c88f68b085362dfad19b3
SHA5124082e953b0dc9be718283c0cb295bb218d1df5f15712f7a488f426f8b8e24ee1a2b67b30d80e52eba3bc5116b04589113c655ee92f4da73039dec325cbe13d0f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NewX.vmp.exeFilesize
10.1MB
MD5410912bf0fb6f35648644fe15f0db3fd
SHA16e2d57b868372e22b318e79a2bd6da4c2902e75e
SHA256e8220c82de5497eecd9b6a92210d6dbac2e1f0b17dc18ef81cbdafbd61a376da
SHA5129b3966a2300682f84d3fe41958943c3dbf2b73a8209ee749338a76bf60f240367fa185cb5c80570dca2d539c2e2c7546a462e2b72c3be2887e16253895841c1c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exeFilesize
93KB
MD5fda77b550950991faf74d80e6ef7ed20
SHA1983abb7b99755fd927640927394ffeba9b7a958c
SHA256bda9b19762eaa3c07bf6e1e4730644f94ef4b837a6d5e60b730ef88913e4dd29
SHA512a12d17c808a9e5d39e2a5731b04c30208026df0eab902ebb2912c78ddf8a90b082edce773c5f13ba79dc51da36f5fb0ee33cccc645938d967caa815d508d487e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lua53-64.dllFilesize
528KB
MD5b7c9f1e7e640f1a034be84af86970d45
SHA1f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA2566d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3
-
C:\Users\Admin\AppData\Local\Temp\{39D8FB89-7D81-4BA6-A552-C314F56ABC71}\ADDRESSES.TMPFilesize
37KB
MD5d2d742f0546b927faabeda1e684ca0c3
SHA195c6d1f339a46c1feebe2efbb69bc0891ad41f3a
SHA256372ef3aa04a2880b5e1afe99c22b2d7e23974f6e565f94192319b032b4422826
SHA512dd533242be1a487ee8496b72ba1f27bd596eda0a788adad6270c3631be082557d6de24f07e95f9840886957107df1c5e359cf8f5d2e4f920f696a58e4b3a07db
-
C:\Users\Admin\AppData\Local\Temp\{39D8FB89-7D81-4BA6-A552-C314F56ABC71}\MEMORY.FIRSTFilesize
18KB
MD5a9c85774e694145d8ae0b76a7172cab9
SHA1b04c5e62e7ae824da0b3ec8d56c753d7d5d64f79
SHA256504fdb8f653bb0dbe3710228a912080876da9bbd2236d788fa4a20a3b061397d
SHA51241977aeea8d591022f7983669b15685a82cb3db039b5ca0d8ce97e30cdd79b8e0617032e212068ebfb4084510af49657f25ecfc0dce444068be284ff32fa21db
-
memory/868-90-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/868-81-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2120-93-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4984-23-0x00007FFEB2B30000-0x00007FFEB2B32000-memory.dmpFilesize
8KB
-
memory/4984-28-0x0000000000400000-0x00000000020DA000-memory.dmpFilesize
28.9MB
-
memory/4984-27-0x00007FFEB2D90000-0x00007FFEB2D92000-memory.dmpFilesize
8KB
-
memory/4984-26-0x00007FFEB0930000-0x00007FFEB0932000-memory.dmpFilesize
8KB
-
memory/4984-43-0x0000000007B60000-0x0000000007BE3000-memory.dmpFilesize
524KB
-
memory/4984-25-0x00007FFEB0920000-0x00007FFEB0922000-memory.dmpFilesize
8KB
-
memory/4984-24-0x00007FFEB2B40000-0x00007FFEB2B42000-memory.dmpFilesize
8KB
-
memory/4984-64-0x00000000013A6000-0x00000000016C5000-memory.dmpFilesize
3.1MB
-
memory/4984-78-0x0000000007B60000-0x0000000007BE3000-memory.dmpFilesize
524KB
-
memory/4984-79-0x00000000013A6000-0x00000000016C5000-memory.dmpFilesize
3.1MB
-
memory/4984-22-0x00007FFEB2D80000-0x00007FFEB2D82000-memory.dmpFilesize
8KB
-
memory/4984-21-0x00007FFEB2D70000-0x00007FFEB2D72000-memory.dmpFilesize
8KB
-
memory/4984-20-0x00000000013A6000-0x00000000016C5000-memory.dmpFilesize
3.1MB