9f498954b628b7cd9989a4ee2339601cfcbb58c8a32bfa2d0c8bc2adbd1d90ae

General

Target

cheat-engine.exe
Size

11.5MB
MD5

a1bf011028db014edabdd7783c1ae34a
SHA1

0818be9df711ceb94ccc721f89e8b6fba72d8109
SHA256

9f498954b628b7cd9989a4ee2339601cfcbb58c8a32bfa2d0c8bc2adbd1d90ae
SHA512

60421be866298e335b9f590bc04a9d52a71c49b7c6cf3e5a1a1e22a3ec406c009a78fcb3b35718c76a85a5177fb04785f96026ded43bc4a045c69808a0ba8dbd
SSDEEP

196608:yZ9bHrsNbpUGJJ177vcsCQypVRUBSCwBpvvDMs4VMY0I+RSIxBauMTTArar:yZ9bLsgGV3TCdpV6BPCpDMfXEEuNar

Score

7^/10

evasion spyware stealer trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cheat-engine.tmp

Executes dropped EXE 1 IoCs

pid	Process
4112	cheat-engine.tmp

Loads dropped DLL 2 IoCs

pid	Process
4112	cheat-engine.tmp
4112	cheat-engine.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4112-135-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-138-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-139-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-140-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-142-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-380-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-385-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-388-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-403-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-405-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-407-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-409-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-412-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-417-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-420-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx
behavioral1/memory/4112-422-0x0000000004CA0000-0x0000000004E33000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cheat-engine.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\0E566806.log	cheat-engine.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cheat-engine.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	cheat-engine.tmp
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	cheat-engine.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cheat-engine.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	cheat-engine.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	cheat-engine.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	cheat-engine.tmp

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	cheat-engine.tmp
Token: SeCreatePagefilePrivilege	4112	cheat-engine.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4112	cheat-engine.tmp
4112	cheat-engine.tmp
4112	cheat-engine.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4112	4108	cheat-engine.exe	66
PID 4108 wrote to memory of 4112	4108	cheat-engine.exe	66
PID 4108 wrote to memory of 4112	4108	cheat-engine.exe	66

C:\Users\Admin\AppData\Local\Temp\cheat-engine.exe
"C:\Users\Admin\AppData\Local\Temp\cheat-engine.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\is-MQJ85.tmp\cheat-engine.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MQJ85.tmp\cheat-engine.tmp" /SL5="$70050,11742384,56832,C:\Users\Admin\AppData\Local\Temp\cheat-engine.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-MQJ85.tmp\CHEAT-~1.TMP

Filesize
706KB

MD5
e8a6c959f39a4c5cc3f4b966c9f25500

SHA1
bba531475ae82c8025fb12146ead5e51bbae9fe6

SHA256
6bbee346e660e1f719e26b84805876f5218543e7827681f8988619bc5d360acc

SHA512
e9d0602e9c7de85ce818cbeb3272a552481a1abc61f92afc9f2d94e76c4de1e1e893157bb23b3849f53a37ac39854a9fe399f7758e08454f4a166ec418bd40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MQJ85.tmp\cheat-engine.tmp

Filesize
706KB

MD5
e8a6c959f39a4c5cc3f4b966c9f25500

SHA1
bba531475ae82c8025fb12146ead5e51bbae9fe6

SHA256
6bbee346e660e1f719e26b84805876f5218543e7827681f8988619bc5d360acc

SHA512
e9d0602e9c7de85ce818cbeb3272a552481a1abc61f92afc9f2d94e76c4de1e1e893157bb23b3849f53a37ac39854a9fe399f7758e08454f4a166ec418bd40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2405415783323\bootstrap_47375.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2405415783323\css\main.css

Filesize
6KB

MD5
9b27e2a266fe15a3aabfe635c29e8923

SHA1
403afe68c7ee99698c0e8873ce1cd424b503c4c8

SHA256
166aa42bc5216c5791388847ae114ec0671a0d97b9952d14f29419b8be3fb23f

SHA512
4b07c11db91ce5750d81959c7b2c278ed41bb64c1d1aa29da87344c5177b8eb82d7d710b426f401b069fd05062395655d985ca031489544cdf9b72fe533afa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2405415783323\css\sdk-ui\progress-bar.css

Filesize
506B

MD5
5335f1c12201b5f7cf5f8b4f5692e3d1

SHA1
13807a10369f7ff9ab3f9aba18135bccb98bec2d

SHA256
974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda

SHA512
0d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2405415783323\images\Loader.gif

Filesize
10KB

MD5
57ca1a2085d82f0574e3ef740b9a5ead

SHA1
2974f4bf37231205a256f2648189a461e74869c0

SHA256
476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e

SHA512
2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

Download Submit
\Users\Admin\AppData\Local\Temp\is-UEFQ4.tmp\uIYPbOBGHpFpY.dll

Filesize
885KB

MD5
406e12232c990226d6973582884b1f33

SHA1
bb325dfe5a350c15bc2f600e757dc033d676c78f

SHA256
3054a57b25f5162168fcfdc7cc939b1c8ac42ebd1aede2a69994b0f357a977f6

SHA512
d1c3d7a7f2a4d796678171da1fc79a66d7abe5f18e87c96503c6ed62a1ac75e2473a503c75c7067c2160af55b41f37848a0509128b3fcdca14e075cdc99d8b3b

Download Submit
\Users\Admin\AppData\Local\Temp\is-UEFQ4.tmp\uIYPbOBGHpFpY.dll

Filesize
885KB

MD5
406e12232c990226d6973582884b1f33

SHA1
bb325dfe5a350c15bc2f600e757dc033d676c78f

SHA256
3054a57b25f5162168fcfdc7cc939b1c8ac42ebd1aede2a69994b0f357a977f6

SHA512
d1c3d7a7f2a4d796678171da1fc79a66d7abe5f18e87c96503c6ed62a1ac75e2473a503c75c7067c2160af55b41f37848a0509128b3fcdca14e075cdc99d8b3b

Download Submit
memory/4108-414-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4108-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4112-139-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-409-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-380-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-141-0x00000000049A0000-0x0000000004A61000-memory.dmp

Filesize
772KB

Download
memory/4112-385-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-386-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4112-388-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-140-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-138-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-135-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-403-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-405-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-407-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-142-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-134-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4112-412-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-132-0x00000000047B0000-0x0000000004891000-memory.dmp

Filesize
900KB

Download
memory/4112-415-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4112-416-0x00000000047B0000-0x0000000004891000-memory.dmp

Filesize
900KB

Download
memory/4112-417-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-418-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4112-420-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-422-0x0000000004CA0000-0x0000000004E33000-memory.dmp

Filesize
1.6MB

Download
memory/4112-423-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4112-428-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads