7f058cfc5bcd03da3014a0b1283c30b330b33b90cd3d18ea2034d89d75c87973

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff729a55815119aee404b13890dd32b1.exe
Size

4.7MB
MD5

ff729a55815119aee404b13890dd32b1
SHA1

e54929cc3b819e4827b235c83a4391c4486b9741
SHA256

7f058cfc5bcd03da3014a0b1283c30b330b33b90cd3d18ea2034d89d75c87973
SHA512

53e7ce61529a2df327bb083f6c6e33ec8e4136e0d027e0d14c0b07e7d8c658799ffeed0350007d53f57ee0709ac29793a4119a27530dafdf124c650bfb9a78ca
SSDEEP

49152:dW2V9THnvlq+kmRHPxqw1BWyhHSvJe7vr+0mgtJkGZ1wG9WIxKr2iQnro09xdGeQ:jlv8g9OhOvq0mgtJk7VO04Qq3UI8L00

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\drivers\pk.bin	Cheat Engine.exe
File created	C:\WINDOWS\SysWOW64\drivers\pk.bin	rinst.exe
File created	C:\WINDOWS\SysWOW64\drivers\Cheat Engine.exe	rinst.exe
File created	C:\WINDOWS\SysWOW64\drivers\Cheat Enginehk.dll	rinst.exe
File created	C:\WINDOWS\SysWOW64\drivers\inst.dat	rinst.exe
File created	C:\WINDOWS\SysWOW64\drivers\rinst.exe	rinst.exe

Executes dropped EXE 4 IoCs

pid	Process
2932	rinst.exe
1184	CheatEngine561.exe
2780	Cheat Engine.exe
2560	CheatEngine561.tmp

Loads dropped DLL 21 IoCs

pid	Process
2916	ff729a55815119aee404b13890dd32b1.exe
2916	ff729a55815119aee404b13890dd32b1.exe
2932	rinst.exe
2932	rinst.exe
2932	rinst.exe
2932	rinst.exe
1184	CheatEngine561.exe
1184	CheatEngine561.exe
2932	rinst.exe
2932	rinst.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
1184	CheatEngine561.exe
2780	Cheat Engine.exe
2560	CheatEngine561.tmp
1184	CheatEngine561.exe
2560	CheatEngine561.tmp
2560	CheatEngine561.tmp
2916	ff729a55815119aee404b13890dd32b1.exe
2560	CheatEngine561.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cheat Engine = "C:\\WINDOWS\\SysWOW64\\drivers\\Cheat Engine.exe"	Cheat Engine.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	rinst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2560	CheatEngine561.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2780	Cheat Engine.exe
2780	Cheat Engine.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe
2780	Cheat Engine.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2916 wrote to memory of 2932	2916	ff729a55815119aee404b13890dd32b1.exe	28
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 1184	2932	rinst.exe	31
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 2932 wrote to memory of 2780	2932	rinst.exe	30
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29
PID 1184 wrote to memory of 2560	1184	CheatEngine561.exe	29

C:\Users\Admin\AppData\Local\Temp\ff729a55815119aee404b13890dd32b1.exe
"C:\Users\Admin\AppData\Local\Temp\ff729a55815119aee404b13890dd32b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\WINDOWS\SysWOW64\drivers\Cheat Engine.exe
    "C:\WINDOWS\system32\drivers\Cheat Engine.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1184

C:\Users\Admin\AppData\Local\Temp\is-C1282.tmp\CheatEngine561.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C1282.tmp\CheatEngine561.tmp" /SL5="$A0122,4409825,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Cheat Engine.exe

Filesize
382KB

MD5
44718bb6b7c2d8cb5cd16332c224b6ac

SHA1
b59fecb2182422972807d6059ba5f92cec24be2d

SHA256
db2e7f57af8cb1c95813ff6858175a22a28b56bce3b9e1a23bc83ce2a85b4ab5

SHA512
fe39659ea143e6c25b52f92fc5857c52eda4f4d1438f837c517bd6fe324b86d655ab0459f4e6043aa43ebd37c8ca59bf96395ebedf1acc9bf84e3a39ddb9d417

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Cheat Enginehk.dll

Filesize
21KB

MD5
ea009d3e184ac6663c2c8eab73fed5a2

SHA1
d95a671d875e4051609c8a38201c114efb0ea4fe

SHA256
ed5d36f76cc8aefef90aad49d8c1c3398bd6d8086df84dfa600bb3cc4d5761c5

SHA512
ac1e906489aeedffe97d71eb25461c58f98ac709991c4170d1878311231e3ea7aa1e179a2b5be27ffee017ca12406d8bac3393148d16f65d480e9083ca170cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe

Filesize
146KB

MD5
6f9819b1cb402a0943524a06842aac44

SHA1
3c728d4ec1e6263796410918571ca8eb0d6d9c38

SHA256
d01909a63a7e98ea4c77ad2449d2f36c733addb83bfab6ad43e4411ce2e7c520

SHA512
d11a004d77331f9bf102bd34f5f29de3d366da04d40615bb9944c5e9a662d27a2f69ed43440798978f28b5e767f69f2c24d5082f17b50a87e438a788746aa787

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe

Filesize
1.4MB

MD5
24cc4aa7ae3408c76bc57f4bcbe8b0f6

SHA1
853a2b35bbe571e074d2095a848dbddb6ade6fc6

SHA256
910f3b3052f988ce62ba662b9ab63c4196010236e1ee6a79eaf914df8b7c87c9

SHA512
6ba738f6eab64d710e3a2435fb9c503371298cd27ee38bf5796b3e090fc49a47213813b9f878baf7c10050f5dd44e9a2162aa7f5fd1a1f1a09086b6158a498a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
30213646b0ebdf0af572f99c20de034a

SHA1
b5834b37df09f40ab0aa7c05a6b2c46894959f98

SHA256
de69f862037a69d1d49fd1a4ce7d98d5988d7f821e0dece7a57da16fcddb6b50

SHA512
d8333ce940385362ecfbd6df2d199ab4a1f65041e9dd89c8bac46c7c64212f2962778b076db3abc2b9751490a0206063e40f8c037436ba0a8d31fdbdac919b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
8993693a5c79656c4011869b60b9b773

SHA1
8f14d708e573aec5c8faa17523cc0d6520ea80cd

SHA256
c204754a48305922909dda9b519edaea534b350923accce8ccdadfeef3de183d

SHA512
1d6888a0a54071dc46bb387a653fdaaa951e2f0913c528e79579607602c3ca7766b1665303af4492d6e9aed37fd2fc8c1e0f528cbcbb849b7a2761ecfe059429

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\CheatEngine561.exe

Filesize
98KB

MD5
237bc14c583ca5f62217044ce521d1d2

SHA1
06e9ddd2c3cf2148281baa51cacbd356ff1b3b4b

SHA256
d99d6b64afcc8a66c7c975444ac7da15b451b47b25633424e2bf0ba86f8d2ff4

SHA512
a449948489adf2d529c2bf5df81c2ed95ad563ddac1d325fbf73f4bc411c888b1378838a04b17dddaa89d16223bc612b801f520a38264315e22cd524c3d588d7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
\Windows\SysWOW64\drivers\Cheat Engine.exe

Filesize
92KB

MD5
24117e63e3916b0558b47c4b77b961db

SHA1
f89dca2d72480c21eb71072e52131703193fe408

SHA256
0b9929145d9362d70221c02d1cd2a49b43c5a2cafe6cb4993d63184b6aac9a57

SHA512
e28b0c8a7a409a760c805087519130f7ab19eb4a467bd431ca2f4b735e33ed39199cd75d0f9197e9e7a066eb5c6fd3eb9af94dd1f46ccb6010fb39199f4aad4d

Download Submit
memory/1184-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1184-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1184-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2560-77-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2560-85-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2560-87-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2916-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2916-82-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download