6ad114ad60f41d215ff527cb5926fabf9c984c2b6295b9ed8ef6965697560ac3

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CheatEngine.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2148-14-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-22-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-21-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-20-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-19-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-18-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-23-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-266-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-269-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-273-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-271-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-261-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-289-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-288-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-294-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-296-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-297-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-298-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-300-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-302-0x0000000004610000-0x000000000481A000-memory.dmp	upx
behavioral1/memory/2148-311-0x0000000004610000-0x000000000481A000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\0F762626.log	CheatEngine.tmp

Executes dropped EXE 1 IoCs

pid	Process
2148	CheatEngine.tmp

Loads dropped DLL 2 IoCs

pid	Process
2060	CheatEngine.exe
2148	CheatEngine.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CheatEngine.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	CheatEngine.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	CheatEngine.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	CheatEngine.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	CheatEngine.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2148	CheatEngine.tmp
2148	CheatEngine.tmp
2148	CheatEngine.tmp
2148	CheatEngine.tmp
2148	CheatEngine.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2148	CheatEngine.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2148	CheatEngine.tmp
2148	CheatEngine.tmp
2148	CheatEngine.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28
PID 2060 wrote to memory of 2148	2060	CheatEngine.exe	28

C:\Users\Admin\AppData\Local\Temp\CheatEngine.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\is-IBB8A.tmp\CheatEngine.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IBB8A.tmp\CheatEngine.tmp" /SL5="$80022,14342329,121344,C:\Users\Admin\AppData\Local\Temp\CheatEngine.exe"
  2⤵
  - Checks BIOS information in registry
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Collection

Data from Local System