Analysis
-
max time kernel
31s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 01:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe
Resource
win10v2004-20230703-en
General
-
Target
https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Obfuscated with Agile.Net obfuscator 9 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1936-234-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-235-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-237-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-238-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-239-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-240-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-241-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-258-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net behavioral1/memory/1936-295-0x0000000000020000-0x0000000004AB8000-memory.dmp agile_net -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\CheatoSpoofer (1).exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2148 firefox.exe Token: SeDebugPrivilege 2148 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe 2148 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 532 wrote to memory of 2148 532 firefox.exe 78 PID 2148 wrote to memory of 3444 2148 firefox.exe 84 PID 2148 wrote to memory of 3444 2148 firefox.exe 84 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1228 2148 firefox.exe 85 PID 2148 wrote to memory of 1652 2148 firefox.exe 87 PID 2148 wrote to memory of 1652 2148 firefox.exe 87 PID 2148 wrote to memory of 1652 2148 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://cdn-149.anonfiles.com/1cGdF404z5/29fac58e-1688694036/CheatoSpoofer+%281%29.exe2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.0.1153886493\262154526" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {217cdb80-25f9-4c37-96fc-355ba446a8e4} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1900 2aa7e1f4558 gpu3⤵PID:3444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.1.2023154776\617311605" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a41f6a0a-e23e-467b-9bbf-63e2cc97e0a1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 2324 2aa7dfef858 socket3⤵PID:1228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.2.651907342\1235248079" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8890e3a8-39fd-4d41-9136-9e99d70d4ffe} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3208 2aa0515b258 tab3⤵PID:1652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.3.1305506267\1852570394" -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a85d04ab-d598-41ab-8927-0b1ef7319a9c} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3744 2aa74062b58 tab3⤵PID:3732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.5.645304820\1776970994" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 5084 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fbe81d9-5dfc-4a6e-9977-854082062f38} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 5112 2aa07cfa458 tab3⤵PID:1852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.6.1714641526\1000667650" -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5380 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e350b9-87af-4a1e-950b-8c948a8015f1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 5392 2aa07cfc858 tab3⤵PID:2956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.4.139759688\1050545560" -childID 3 -isForBrowser -prefsHandle 4988 -prefMapHandle 4944 -prefsLen 26792 -prefMapSize 232675 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {220cfade-72b4-4320-804f-53ccc1781a30} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4984 2aa06fce658 tab3⤵PID:1712
-
-
C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"3⤵PID:1936
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:640
-
C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"1⤵PID:4784
-
C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"1⤵PID:4076
-
C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"1⤵PID:3192
-
C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"C:\Users\Admin\Downloads\CheatoSpoofer (1).exe"1⤵PID:4040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp
Filesize144KB
MD531b7c3fb6361d88e435e376adda1817a
SHA1556ce5c0743c217b419b07991fb548b4e954fda6
SHA25608643c35769145def3d9103fb2353006a219eaa38b5645e486afd75ba276add2
SHA51241b707819a4c70bdab8ccd44923307db6c009dc050f45334171af119ed69d757cb0df0290dec78bb116e9e7827ae111b25d3a43429a19f7975ce163377b51fe5
-
Filesize
36B
MD529845d59cd3662e6c326388537faa1b6
SHA18de70e64a6d92e675ac02fc2b1821bd8b0bee293
SHA256f9fdd4b9d2cd039da33f86197714c8367fb7c3ed8c4703bd54d9249d45cf0cfb
SHA512a9ba7076a906f8d4a9d90b6ba0c45e58f63f4834dbccc023a0b31a46a99c5551a857e8c1fd95dcf0c3c2c6147cd596083f782eb71b5abc49c645546e8bb98d33
-
Filesize
285KB
MD5c204468635ab30602dea443c445e1821
SHA1c1fa917a4604f956ef15bb53655d368c6b19d042
SHA2567bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b
-
Filesize
285KB
MD5c204468635ab30602dea443c445e1821
SHA1c1fa917a4604f956ef15bb53655d368c6b19d042
SHA2567bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b
-
Filesize
285KB
MD5c204468635ab30602dea443c445e1821
SHA1c1fa917a4604f956ef15bb53655d368c6b19d042
SHA2567bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7KB
MD555569f0b3622a2080c20c49aca1c4b50
SHA1f7e5d8361a4903bde0cb98299a8e83eee1d6c2a1
SHA256e62fbab5e0ff02b0e881bfd57edfa76ec58fab8593dcec81b78a66e633adeeab
SHA512ba49428ffbc582092296bbff9ac426e1460bd5a1d1f3472c99c470faecf6c1acd6299383759c0df5b5d9bc49ab9afe057884370049f0b1efb5beb29cd277a7a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize995B
MD55873cb1a1ce86b2417b6bc3fa82f9ee7
SHA17a65a2c8e866deba6434685b330e9c569d7eea62
SHA256560cad195cffbb88fb19fdc7f40568eb6e7399400247c7822b6b939eec0332b5
SHA512a287bbae6167daab2698a0d0791eca92e8b289ec6ef95f7c2d6dae7565a179db8b8ad4fd0f1ad29eebc79910e8658aeea1e1bc1ba0b8339a2c24c567a6c83ca9
-
Filesize
32.3MB
MD57a8f3ff6b456e153499088a103d51145
SHA130f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA25693d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
Filesize
32.3MB
MD57a8f3ff6b456e153499088a103d51145
SHA130f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA25693d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
Filesize
32.3MB
MD57a8f3ff6b456e153499088a103d51145
SHA130f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA25693d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
Filesize
32.3MB
MD57a8f3ff6b456e153499088a103d51145
SHA130f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA25693d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
Filesize
32.3MB
MD57a8f3ff6b456e153499088a103d51145
SHA130f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
SHA25693d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
SHA512e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
Filesize
13.1MB
MD50692448466594d10f84490009e73a706
SHA16bfe4505000415101d0b18493e838a5d49c71c12
SHA256a798a83c8ae0be8ab97bf0d8b2506e601e097e0000da7d0c5ef2a37fbeeb3f59
SHA51271b30e432db9a3ce23c9dc271612f3a4c7ea979da2ea33590eb14e5ce4c3aa33d12950b53ea0f3a4bbe4e88b7001ca2c89fb4834f7b77899e37c2dddec2a92e6
-
Filesize
11.0MB
MD55bc93051f48078c9907df4b93acaf02b
SHA1e27737a3f96c400d7f36eeb6fa4a6a4db5d7d1ca
SHA256300d54dd518702822828f3b026c24cf02d5c40ba7901288737f38a4b1f434701
SHA5127950900af78ba782ad7319e8c9e1129c9d7009b051386bdbdd52e7d506cf15a8d886102383321376ea2d9100ccad7f52040e163e292a1577a4bb7915ca48feea