0e24b8e9026309ce107cc22c3e37d189b3491a500c0282e029da324733772051

Analysis

max time kernel
146s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatMaker.exe
Size

977KB
MD5

2ecb96153091d32afcb7d8db660d9997
SHA1

3717e06780aa1592ede71d4d8d898b75b22662ea
SHA256

00dd0b3169a1b61dcef889a41a37fceb0aa3e18db5a1ae538424f4a60a5b258f
SHA512

1bff0830390759ad6d6bdc1d50188b13ed7c75a9f28f9e2e0cb4a808856013b805081155b5487282b1974afbab680f6075d32585a9b0aedc18806d3b6f49a01b
SSDEEP

24576:Ss2ZDpE4pEEuuyLIr82LXIP5e1c6ufg5pzvMS0nlqMCFQ:t0Dj5kU10PU1c6ufipX00FQ

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process
3668	4896	WerFault.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\open	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\print\command	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEATM~1.EXE /dde"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmf\ShellNew	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEATM~1.EXE,1"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\open\ddeexec	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\print\ddeexec	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\print\ddeexec\ = "[print(\"%1\")]"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\DefaultIcon	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\open\ddeexec\ = "[open(\"%1\")]"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\printto\ddeexec	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\open\command	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEATM~1.EXE /dde"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\printto	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\printto\command	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmf	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmf\ShellNew\NullFile	CheatMaker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmf\ShellNew	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEATM~1.EXE /dde"	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmf\ = "CheatMaker.cmf"	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\ = "CheatMaker Modifier File"	CheatMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\print	CheatMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatMaker.cmf\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	CheatMaker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	CheatMaker.exe
1832	CheatMaker.exe
1832	CheatMaker.exe
1832	CheatMaker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	CheatMaker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	CheatMaker.exe
1832	CheatMaker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4896	1832	CheatMaker.exe	98
PID 1832 wrote to memory of 4896	1832	CheatMaker.exe	98
PID 1832 wrote to memory of 4896	1832	CheatMaker.exe	98

C:\Users\Admin\AppData\Local\Temp\CheatMaker.exe
"C:\Users\Admin\AppData\Local\Temp\CheatMaker.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  C:\Users\Admin\AppData\Local\Temp\Update.exe
  2⤵
  PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4896 -ip 4896
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 376
1⤵
- Program crash
PID:3668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/1832-4-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1832-33-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/1832-63-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/1832-62-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/1832-61-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/1832-60-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/1832-59-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/1832-58-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/1832-57-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/1832-56-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/1832-55-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1832-54-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1832-53-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1832-52-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1832-51-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/1832-50-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1832-49-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1832-48-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1832-47-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1832-46-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1832-45-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/1832-44-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/1832-43-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1832-42-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1832-41-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/1832-40-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1832-39-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/1832-38-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/1832-37-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/1832-36-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1832-34-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1832-35-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1832-32-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1832-31-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1832-30-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1832-29-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1832-28-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1832-27-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1832-26-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1832-25-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1832-24-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1832-23-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1832-22-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1832-21-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1832-20-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1832-19-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1832-18-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1832-17-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1832-16-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1832-15-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1832-14-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1832-13-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1832-12-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1832-11-0x0000000003560000-0x0000000003565000-memory.dmp

Filesize
20KB

Download
memory/1832-10-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1832-9-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1832-8-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1832-7-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1832-6-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1832-5-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1832-3-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1832-2-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1832-1-0x00000000024F0000-0x000000000254A000-memory.dmp

Filesize
360KB

Download
memory/1832-113-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/1832-127-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/1832-133-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download