75f32ab1a2e666ca53d9d8e3d9d6d7e64ee068aa92af66bdd1e4f6527e83e1ec

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

3.1MB
MD5

96d1196bd8e52d9889656b2960a27e5b
SHA1

75b17106b9aa54ccea7583c8339b81993f27e69e
SHA256

75f32ab1a2e666ca53d9d8e3d9d6d7e64ee068aa92af66bdd1e4f6527e83e1ec
SHA512

a2dac9e62934a6bc23fc7dd420e6856f222afe069f2030521860e7d991f9f3395f5c10b2f32f65d326ec91bbd451c4e0772711c96d5b5f742748560d88f2c094
SSDEEP

49152:ZBuZrEU+43YpVog43YpVog43YpVoWgV+ZSA9ty/uzyG4EU+T9j6pjIMGFTKakR:vkL+4opH4opH4opIU9tNz939aEbJcR

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

Executes dropped EXE 1 IoCs

pid	Process
3920	CheatEngine75.tmp

Loads dropped DLL 1 IoCs

pid	Process
3920	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp
3920	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3920	4132	CheatEngine75.exe	85
PID 4132 wrote to memory of 3920	4132	CheatEngine75.exe	85
PID 4132 wrote to memory of 3920	4132	CheatEngine75.exe	85

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\is-T8MCO.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T8MCO.tmp\CheatEngine75.tmp" /SL5="$11005E,2349502,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IVG20.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVG20.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T8MCO.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
2dbb23c62848635c596fa85ba7dee128

SHA1
dcdbf91651828fe5834fed03e3416920efa690e3

SHA256
296df81ad382686280652e45750ab5d9c0c35d4b308265fe5ff039017b7345a3

SHA512
0710c2205ec00b361b9aa66ce332e892532560e8f92c69aac0c97d5e6750bc6c92315bc2804e9e546f6bf42f1bf3fcdc8e4496be375c6f4cf04a1e7d80d8c6e8

Download Submit
memory/3920-5-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3920-24-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3920-25-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3920-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3920-30-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3920-33-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/4132-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4132-26-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download