Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 04:24
Static task
static1
General
-
Target
CheatoSpoofer (1).exe
-
Size
32.3MB
-
MD5
7a8f3ff6b456e153499088a103d51145
-
SHA1
30f1fc37c25cd368594c0b8c9e416b3c5ed31d6f
-
SHA256
93d8134fa11201cecedac89d6c6af96afa83783aebf347ea3f6aefc925df8ceb
-
SHA512
e295568d314d88355ca1d681602ea00ac3419d3f583e6773eae74d6fd1eaa16789b01af8e35d4af9941ff57055d688d153bf9b2c14ffb8961c5359f2a11e31f0
-
SSDEEP
786432:BYMfV94+jxjRtMCKIvIGviTq1LZw2OhEyKYEVwSppnu:BYAVRxNWuQGviU1JzyKFV/
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SYSTEM\ControlSet001\Services\VBoxVideo CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SYSTEM\ControlSet001\Services\VBoxSF CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SYSTEM\ControlSet001\Services\VBoxGuest CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SYSTEM\ControlSet001\Services\VBoxMouse CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SYSTEM\ControlSet001\Services\VBoxService CheatoSpoofer (1).exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\HARDWARE\ACPI\DSDT\VBOX__ CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\HARDWARE\ACPI\FADT\VBOX__ CheatoSpoofer (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\HARDWARE\ACPI\RSDT\VBOX__ CheatoSpoofer (1).exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Oracle\VirtualBox Guest Additions CheatoSpoofer (1).exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\VMware, Inc.\VMware Tools CheatoSpoofer (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CheatoSpoofer (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CheatoSpoofer (1).exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wine CheatoSpoofer (1).exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Wine CheatoSpoofer (1).exe -
Loads dropped DLL 1 IoCs
pid Process 4512 CheatoSpoofer (1).exe -
Obfuscated with Agile.Net obfuscator 15 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4512-134-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-135-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-137-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-139-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-138-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-140-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-141-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-142-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-144-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-145-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-160-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-168-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-179-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-186-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net behavioral1/memory/4512-194-0x0000000000D40000-0x00000000057D8000-memory.dmp agile_net -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum CheatoSpoofer (1).exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 CheatoSpoofer (1).exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7CCADC42-76D6-46DA-BF2A-1A7632A74CA0}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe 4512 CheatoSpoofer (1).exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 680 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4512 CheatoSpoofer (1).exe Token: SeSystemEnvironmentPrivilege 4512 CheatoSpoofer (1).exe Token: SeSecurityPrivilege 4512 CheatoSpoofer (1).exe Token: SeTakeOwnershipPrivilege 4512 CheatoSpoofer (1).exe Token: SeBackupPrivilege 4512 CheatoSpoofer (1).exe Token: SeRestorePrivilege 4512 CheatoSpoofer (1).exe Token: SeShutdownPrivilege 4512 CheatoSpoofer (1).exe Token: SeDebugPrivilege 4512 CheatoSpoofer (1).exe Token: SeAuditPrivilege 4512 CheatoSpoofer (1).exe Token: SeSystemEnvironmentPrivilege 4512 CheatoSpoofer (1).exe Token: SeManageVolumePrivilege 4512 CheatoSpoofer (1).exe Token: SeImpersonatePrivilege 4512 CheatoSpoofer (1).exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer (1).exe"C:\Users\Admin\AppData\Local\Temp\CheatoSpoofer (1).exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3884
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD5c204468635ab30602dea443c445e1821
SHA1c1fa917a4604f956ef15bb53655d368c6b19d042
SHA2567bdc755921404ec6bca532790460523873c3169091020f117ad3ee79d395b6f7
SHA512d1558e916f31f19ab5a86f3b07aab951cb0fa2df14d5ec4f8f704b146a6e2b117c108bc68afce17859a2c81048cabb1b0510b0c43b45839dc4d82d3aea61dc5b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82