11a1f0c071e43c99c5542df36b33d6204f23874070a2af65050125cf3e2d684b

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat Engine.exe
Size

459KB
MD5

bc28582086109675385f78332a5ff277
SHA1

45d9c5bfe5ae44c39402353a201dfd8c034d99b8
SHA256

11a1f0c071e43c99c5542df36b33d6204f23874070a2af65050125cf3e2d684b
SHA512

f35f5943f3ea776ad660799bfabc6f8c75736ba38ce5d69acbb9235e0ac5fba51e3469af19880f804b3351231ac743146356053943e33d2561602872aeb7e04c
SSDEEP

12288:zFUNDaPIBLMT7EgHRYGtUrdgugEnoSE55:zFOaPIBL4IgHR7tUrdgugEnoSE55

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
432	cheat engine.exe
4716	icsys.icn.exe
1068	explorer.exe
368	spoolsv.exe
4364	svchost.exe
228	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Cheat Engine.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
4716	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1068	explorer.exe
4364	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4156	Cheat Engine.exe
4156	Cheat Engine.exe
4716	icsys.icn.exe
4716	icsys.icn.exe
1068	explorer.exe
1068	explorer.exe
368	spoolsv.exe
368	spoolsv.exe
4364	svchost.exe
4364	svchost.exe
228	spoolsv.exe
228	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 432	4156	Cheat Engine.exe	85
PID 4156 wrote to memory of 432	4156	Cheat Engine.exe	85
PID 4156 wrote to memory of 432	4156	Cheat Engine.exe	85
PID 4156 wrote to memory of 4716	4156	Cheat Engine.exe	86
PID 4156 wrote to memory of 4716	4156	Cheat Engine.exe	86
PID 4156 wrote to memory of 4716	4156	Cheat Engine.exe	86
PID 4716 wrote to memory of 1068	4716	icsys.icn.exe	87
PID 4716 wrote to memory of 1068	4716	icsys.icn.exe	87
PID 4716 wrote to memory of 1068	4716	icsys.icn.exe	87
PID 1068 wrote to memory of 368	1068	explorer.exe	88
PID 1068 wrote to memory of 368	1068	explorer.exe	88
PID 1068 wrote to memory of 368	1068	explorer.exe	88
PID 368 wrote to memory of 4364	368	spoolsv.exe	89
PID 368 wrote to memory of 4364	368	spoolsv.exe	89
PID 368 wrote to memory of 4364	368	spoolsv.exe	89
PID 4364 wrote to memory of 228	4364	svchost.exe	90
PID 4364 wrote to memory of 228	4364	svchost.exe	90
PID 4364 wrote to memory of 228	4364	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\Cheat Engine.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Engine.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156
- \??\c:\users\admin\appdata\local\temp\cheat engine.exe
  "c:\users\admin\appdata\local\temp\cheat engine.exe "
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4716
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:368
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cheat engine.exe

Filesize
324KB

MD5
c4ef55773278a688ae60e7eaa3570b3b

SHA1
5158aea6873c3fad3211b5e0d95b22102f546de0

SHA256
1b519a00b18d0639bad0274ac577032bba45ec7475e5701ca9d756d152ff1456

SHA512
3e12b9d818910697233238592bf24d4a6915731532a8bc34840bc299f899ab891f5990805e53c8bea6025c29e0f6984edbd2d03380dab4056a444e642ee8a288

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
fbbf68d416f85ecfb7d4105adeb5594d

SHA1
f9ef7c1037171a78b1ea52711a3c79a7e566addf

SHA256
c384690314a56634f340db77d83249fa3eee5546fe4930caafa8800f58b4cfd8

SHA512
144b01ffc59ea76f8eee250247f5f17a314d42214dad1316c39b2eb80ef3c04bfe8e4dd4a5762e2ac7c04ba82c08772c2b88d8501f23e9c69de7f7e7a77fc5c7

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
fbbf68d416f85ecfb7d4105adeb5594d

SHA1
f9ef7c1037171a78b1ea52711a3c79a7e566addf

SHA256
c384690314a56634f340db77d83249fa3eee5546fe4930caafa8800f58b4cfd8

SHA512
144b01ffc59ea76f8eee250247f5f17a314d42214dad1316c39b2eb80ef3c04bfe8e4dd4a5762e2ac7c04ba82c08772c2b88d8501f23e9c69de7f7e7a77fc5c7

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d15db04f299abe84215a758381406413

SHA1
f49cffa03a77d414a0f077178f376776d281a961

SHA256
987eb1303a52a2f4e27d8f51e328b84e96555a2fade87decd5f837ab06cade2b

SHA512
1e3fb80b6df92bf633938d6380c4799e7061bb8fefb7301c97bf1025abed83f6bbf78a6d420b1ce42ecf09fb3c549243ac681f191ade5ccd057d5ce207ccc683

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d15db04f299abe84215a758381406413

SHA1
f49cffa03a77d414a0f077178f376776d281a961

SHA256
987eb1303a52a2f4e27d8f51e328b84e96555a2fade87decd5f837ab06cade2b

SHA512
1e3fb80b6df92bf633938d6380c4799e7061bb8fefb7301c97bf1025abed83f6bbf78a6d420b1ce42ecf09fb3c549243ac681f191ade5ccd057d5ce207ccc683

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
98c5bd04e0f509b7f656ea8a828594fe

SHA1
f34e0ed22da6928d7fdbd36473a797409cfe7abc

SHA256
082af757d2e27aac69ac691f8d7c0733ba9a945998547b96e0cd136ea2f1d0fc

SHA512
0718342dfa3220f543ae87cd50af21d2725fec647b469a69e0f9a2d97cf669a8cfb01f7227da379464401f9752225b5cb464901eca3b532d5975137df8b26283

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
98c5bd04e0f509b7f656ea8a828594fe

SHA1
f34e0ed22da6928d7fdbd36473a797409cfe7abc

SHA256
082af757d2e27aac69ac691f8d7c0733ba9a945998547b96e0cd136ea2f1d0fc

SHA512
0718342dfa3220f543ae87cd50af21d2725fec647b469a69e0f9a2d97cf669a8cfb01f7227da379464401f9752225b5cb464901eca3b532d5975137df8b26283

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
505c9e9be2f4e9abeb4fc127facf990b

SHA1
1a626e324d5f874d9e597e337a2f5688744e8ce9

SHA256
f81d5861ca5af18586a84e1a68c3d08f580a2497b9a191683bd29b40fc175317

SHA512
d0fecce4d38363ae241532fac483bfeff843be423d748bfd3af9aaf0379ac997e51772b64e947f5754261076a68a1204796406163ed8f047fac14909cb2f4b4a

Download Submit
\??\c:\users\admin\appdata\local\temp\cheat engine.exe

Filesize
324KB

MD5
c4ef55773278a688ae60e7eaa3570b3b

SHA1
5158aea6873c3fad3211b5e0d95b22102f546de0

SHA256
1b519a00b18d0639bad0274ac577032bba45ec7475e5701ca9d756d152ff1456

SHA512
3e12b9d818910697233238592bf24d4a6915731532a8bc34840bc299f899ab891f5990805e53c8bea6025c29e0f6984edbd2d03380dab4056a444e642ee8a288

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
98c5bd04e0f509b7f656ea8a828594fe

SHA1
f34e0ed22da6928d7fdbd36473a797409cfe7abc

SHA256
082af757d2e27aac69ac691f8d7c0733ba9a945998547b96e0cd136ea2f1d0fc

SHA512
0718342dfa3220f543ae87cd50af21d2725fec647b469a69e0f9a2d97cf669a8cfb01f7227da379464401f9752225b5cb464901eca3b532d5975137df8b26283

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
505c9e9be2f4e9abeb4fc127facf990b

SHA1
1a626e324d5f874d9e597e337a2f5688744e8ce9

SHA256
f81d5861ca5af18586a84e1a68c3d08f580a2497b9a191683bd29b40fc175317

SHA512
d0fecce4d38363ae241532fac483bfeff843be423d748bfd3af9aaf0379ac997e51772b64e947f5754261076a68a1204796406163ed8f047fac14909cb2f4b4a

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
fbbf68d416f85ecfb7d4105adeb5594d

SHA1
f9ef7c1037171a78b1ea52711a3c79a7e566addf

SHA256
c384690314a56634f340db77d83249fa3eee5546fe4930caafa8800f58b4cfd8

SHA512
144b01ffc59ea76f8eee250247f5f17a314d42214dad1316c39b2eb80ef3c04bfe8e4dd4a5762e2ac7c04ba82c08772c2b88d8501f23e9c69de7f7e7a77fc5c7

Download Submit
memory/228-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4364-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download