b7774c14e3eadad6478acc4c212ae287bb9ff94074336b9af4abc352aed47df3

General

Target

b7774c14e3eadad6478acc4c212ae287bb9ff94074336b9af4abc352aed47df3.dll
Size

1.7MB
MD5

2c737e1f8afbee11780571cfe7de8718
SHA1

09306da5fafb58f552f69d2e85b8d1d5660aa440
SHA256

b7774c14e3eadad6478acc4c212ae287bb9ff94074336b9af4abc352aed47df3
SHA512

b8faeba6ee8a29f5e34c7531e23aaff2ce06e3455f9208d1c262b94ae4179b4cb042ac1b02970229131c6f3900ccc1a3c12f27d48d7229d4411d234eaf9010be
SSDEEP

49152:429SN/b+P8u0RA3TI7vBvOENgavOjwcmX2:bO/ba8uU+k26lGwca

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003200000001530f-14.dat	acprotect
behavioral1/files/0x003200000001530f-13.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2164	CheatEngine5.6.1.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	rundll32.exe
2164	CheatEngine5.6.1.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000010000000-0x000000001027F000-memory.dmp	upx
behavioral1/memory/2116-1-0x0000000010000000-0x000000001027F000-memory.dmp	upx
behavioral1/memory/2116-2-0x0000000010000000-0x000000001027F000-memory.dmp	upx
behavioral1/memory/2116-7-0x0000000010000000-0x000000001027F000-memory.dmp	upx
behavioral1/files/0x000b00000001494f-9.dat	upx
behavioral1/files/0x000b00000001494f-5.dat	upx
behavioral1/memory/2164-11-0x0000000000400000-0x0000000000768000-memory.dmp	upx
behavioral1/files/0x003200000001530f-14.dat	upx
behavioral1/files/0x003200000001530f-13.dat	upx
behavioral1/memory/2164-15-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/2164-18-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/2164-17-0x0000000000400000-0x0000000000768000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CheatEngine\CheatEngine5.6.1.exe	rundll32.exe
File created	C:\Windows\SysWOW64\CheatEngine\ucc12.dll	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2164	CheatEngine5.6.1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	CheatEngine5.6.1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	CheatEngine5.6.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2176 wrote to memory of 2116	2176	rundll32.exe	28
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7774c14e3eadad6478acc4c212ae287bb9ff94074336b9af4abc352aed47df3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7774c14e3eadad6478acc4c212ae287bb9ff94074336b9af4abc352aed47df3.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\CheatEngine\CheatEngine5.6.1.exe
    C:\Windows\SysWOW64\CheatEngine\CheatEngine5.6.1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CheatEngine\CheatEngine5.6.1.exe

Filesize
302KB

MD5
3decc4868ff764e3df8fbffbfe3d7335

SHA1
93bfa95d527e71314a3a7803a11175653ced8af0

SHA256
b00b8e0f52111c7781239d766b3f16912c66371f5d75c2804be1df315b4c7b11

SHA512
7aa3ed710ae390f5964af5459d992c3ad4a913cfae405c954f43ef0fa137d32af1070c40cd1214496a91bc671c699826bfdf933e21cb683337f3fe3fd6e35d8b

Download Submit
C:\Windows\SysWOW64\CheatEngine\ucc12.dll

Filesize
161KB

MD5
8204dad0ed5b9e0d32cb5f43b241cf21

SHA1
6834dab2a5865234a856f760a39cd98852968baa

SHA256
83c5793a7bd356adf5a15bba4618249c5b14bf3bb58e56f8dd2949dc35d26429

SHA512
801555ba8a10628cb0436b652f293c4f22985c302644bd55347ea054f1416257a204459b634af878374eac4da6ca6c07d402abb289bcfdfa26875146c30c5463

Download Submit
\Windows\SysWOW64\CheatEngine\CheatEngine5.6.1.exe

Filesize
386KB

MD5
76d815775f0adddf071afdacae1bf536

SHA1
613055307fcc5b22e7a20a30d417c9cd5e31e714

SHA256
5454fa7859421e0b3239106bc1c3495b6bbad5cd04420aa3c06c7f26d850bec1

SHA512
090d475f71c440443888329d8bd37d337d490d7977c3e44bfee465b260aa3648561be65aa117c132b585493cf1ffe8d20463f12ef53371d64e36a447353ede39

Download Submit
\Windows\SysWOW64\CheatEngine\ucc12.dll

Filesize
33KB

MD5
f409597f4082167b062b39c238cbe1b9

SHA1
e6a235b71c6009b958189aadab360698d5ff97fd

SHA256
45cf64e4bb02eba0f05d8867daa8d7f6fa8704c16558d87f051faa8ae5573a44

SHA512
2c66d275f5f211d3a8df7a0de0ef2fa7dbfef27d9966f6cf27dcdb667c89b11a5291ea43ded5a3ef02371b5cd0abe82fdbb10989918884488d973640a8b4a528

Download Submit
memory/2116-1-0x0000000010000000-0x000000001027F000-memory.dmp

Filesize
2.5MB

Download
memory/2116-2-0x0000000010000000-0x000000001027F000-memory.dmp

Filesize
2.5MB

Download
memory/2116-7-0x0000000010000000-0x000000001027F000-memory.dmp

Filesize
2.5MB

Download
memory/2116-10-0x0000000002170000-0x00000000024D8000-memory.dmp

Filesize
3.4MB

Download
memory/2116-0-0x0000000010000000-0x000000001027F000-memory.dmp

Filesize
2.5MB

Download
memory/2164-11-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2164-12-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2164-15-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/2164-16-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2164-18-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/2164-17-0x0000000000400000-0x0000000000768000-memory.dmp

Filesize
3.4MB

Download
memory/2164-21-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2164-22-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing