Overview

overview

9

Static

static

1

CheatEngine75.exe

windows7-x64

8

CheatEngine75.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CheatEngine75.exe

  • Size

    28.6MB

  • Sample

    230621-xxpd2scc5y

  • MD5

    a4b99286d19825f642183f3e78782513

  • SHA1

    3a13275632f09a763200b7d453c164d2887f5795

  • SHA256

    3bc3a26ab7f5f0b02c5175ba04514a5344804f6c886fdd3ea1f1f9d317ee7a40

  • SHA512

    e51ba67f7c462ae1b755a879b7d3ec70e302159fc3d08fd6b843075e5c5d3ab1a49a9bcf59773cac6c041152e77dd11c75374f0b8a15cab92e85d0771d85c6b9

  • SSDEEP

    786432:uCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHiO:nEXFhV0KAcNjxAItjiO

Score
9/10
bootkitcoreentitydiscoveryevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      CheatEngine75.exe

    • Size

      28.6MB

    • MD5

      a4b99286d19825f642183f3e78782513

    • SHA1

      3a13275632f09a763200b7d453c164d2887f5795

    • SHA256

      3bc3a26ab7f5f0b02c5175ba04514a5344804f6c886fdd3ea1f1f9d317ee7a40

    • SHA512

      e51ba67f7c462ae1b755a879b7d3ec70e302159fc3d08fd6b843075e5c5d3ab1a49a9bcf59773cac6c041152e77dd11c75374f0b8a15cab92e85d0771d85c6b9

    • SSDEEP

      786432:uCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHiO:nEXFhV0KAcNjxAItjiO

    Score
    9/10
    bootkitdiscoveryevasionpersistencespywarestealercoreentity

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

3
T1060

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks