Overview

overview

10

Static

static

1

Cheat Lab 2.7.2.msi

windows7-x64

6

Cheat Lab 2.7.2.msi

windows10-1703-x64

6

Cheat Lab 2.7.2.msi

windows10-2004-x64

6

Cheat Lab 2.7.2.msi

windows11-21h2-x64

10

Resubmissions

12-02-2024 18:22

240212-wz1pesce63 10

12-02-2024 18:09

240212-wrnd5aah2t 6

Analysis

  • max time kernel
    442s
  • max time network
    1162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cheat Lab 2.7.2.msi

  • Size

    2.4MB

  • MD5

    f97903fac84172871545926d6e553eb9

  • SHA1

    e6e027b77df4823f4ff37656867e8f40d4ebd732

  • SHA256

    35cee7837f460d9e1141e375af8438e868a9e6b8d923ed2673a980fcadfd4774

  • SHA512

    5d82d62399079a10d36f5c32b091592cff640c40f593140138a1c741fbc92c579925186a2dd40820cef9bb04a5a7680486508896e6032caa4909d49a95e3fd75

  • SSDEEP

    49152:zjfedtZKumZrEq4Fb6HXr1iWnYs4ntHurpllQ6aduxtZB6DXDNvu8S:+VKwFnWnwux567DNG8S

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 20 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Cheat Lab 2.7.2.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3064
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 47C236F217E3AFDEA9C2DD43E3BB48B9 C
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
        "C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe" "C:\Program Files\Cheat Lab Inc\Cheat Lab\readme.txt"
        3⤵
        • Drops file in Windows directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /sc daily /st 12:20 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
          4⤵
          • Creates scheduled task(s)
          PID:4496
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6134BDB3B5A30F32CCF98724DAC6A003
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2884
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 09F45A7DE79AD320FBA0173DD36D7EC2 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578137.rbs
    Filesize

    188KB

    MD5

    24ac67a0a3d13eec60f7097be3f35db0

    SHA1

    47f577263f94afdb5392ca6e4a79379ea3c33f8f

    SHA256

    4baebe1601766d5da3a15d1d637c2dde8920697c359af393128d77f2a7db1a7c

    SHA512

    525b35f674c5e4fbbb221d8cb4728e5098fb0de9834c1bac7efb2062ae1c828379e5e5289fa9d74e67efb58dbfa19ff23a2076479423295a23dfc3a51d6fe2ac

    Download Submit

  • C:\Program Files\Cheat Lab Inc\Cheat Lab\compiler.exe
    Filesize

    261KB

    MD5

    f33e239a228ad29b22f40a503db1dd60

    SHA1

    8b56571cd8c39978c657818f2ff6b05753c9fd94

    SHA256

    dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a

    SHA512

    e161d6b8b5df6da2d3f7fbd4f68ac05ba9ebd479404c502b45a126758e21cc7b918ab038688d3abfbb50e25216bb39dae30efa2d306dbc76e6216461520e2c2d

    Download Submit

  • C:\Program Files\Cheat Lab Inc\Cheat Lab\lua51.dll
    Filesize

    484KB

    MD5

    75d539df595217555d98c59af85edab1

    SHA1

    a67b14c2ddfda8f770cfeef0d3b676b433df500c

    SHA256

    873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997

    SHA512

    e2b47f2733d2f439af53b12fddd9efa044b832871be2e064d236d6581a3d81e57d7ff4ae123b6f82fd00c752e33d51ae8fd403cee49b628a6d0c2d46de04ce6e

    Download Submit

  • C:\Program Files\Cheat Lab Inc\Cheat Lab\readme.txt
    Filesize

    188KB

    MD5

    da93380e27ef93a7b46af81a3b8c0f13

    SHA1

    620c61603dfd44074133b20ae15f2b1a7478be9a

    SHA256

    751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad

    SHA512

    e9dc7ab3447cf523b9f895ea3ae2b3a8d52fae8b3cbaab14dc256d9a9cf3b79ce770bb665591ad5e9bf1bd216948b131c1003a16b6b3a19f4e1aa6a0e944b550

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI45D3.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI47D8.tmp
    Filesize

    384KB

    MD5

    691334e4071e9a07554c04f8efd8c9f2

    SHA1

    f7904dec0c31d94ef6370503c062458a0afad5bb

    SHA256

    6629b517ae6dc1fd406889db00cafc6b060513defbfc6620ff7781e7a668ebb8

    SHA512

    8eba08bef0e24e532b5b866677bb2447c543b4fd70e1dcc968c3e176fb7fde7b0a335567fbfdde47639a0e17b396c5cd11eb4793b6f41340668f6946c33c4d51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI47E9.tmp
    Filesize

    320KB

    MD5

    83bbcb4394fd3323e576f89e9bae14a6

    SHA1

    eadf6626d27f45d95bae94ef0de452d444a59513

    SHA256

    85dc91027a81fb35fb8de7dcfc25fd0a6b0e74e62e6659d5b5c07d884a3ac189

    SHA512

    b99dfade184f6bc9f3866e80d22b142e704a99cb432f3d0c53a9f5d0d0a53c197ae81a5c16a2eb66cfd10649eeaefa4059befb0b34a19398c4c2fe1b0b5adeb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI47E9.tmp
    Filesize

    256KB

    MD5

    fb4298e3f69ba95c30c7fe8fdc72c294

    SHA1

    0e64d8f037b087b56d1cf9c4c9d7e808b8c2826a

    SHA256

    647279d2115df98732da2fd5818cd6c817ba551e57f260ff52bf343389e56b67

    SHA512

    ed5840fb16542037c79129d711928ca72a204e6c9df32218e3adcaf3f9b8231a0425b55719d41c13d979d4eb59c2af195b75ae4f7e1bcd1162eb03395febb1f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI47FA.tmp
    Filesize

    128KB

    MD5

    4c020db20bf16028e735dd0166c6c1af

    SHA1

    ecec202c476d34659ca1bdd37d3f955e14534f07

    SHA256

    7969371f2215ea2ae53bb46c1011c53162700b08e9e2f7ebd305d95f0fa0521f

    SHA512

    4298e8bdc6b1153c17dcd0293ce229fe1196d776f8a55d794d68bdd0c27e9170e105f1140fe8c0f3fa874feceb4c30472463f34b0bb09c08b3e56eb671fab6ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI482A.tmp
    Filesize

    42KB

    MD5

    c89f4feb4bb282630e4f72755345d512

    SHA1

    18c6854870a90d8ab69d96bc672ec0e4d995fe3a

    SHA256

    17f24a4810ee72abe3f37381478167c81b01762c6322d7e1608468c4b853f5a9

    SHA512

    568ac0a1afb4962e1059739abd0d57b342ff3cb43eb72144e0d851aca53f9b5f23e36f6f4937e16e6ba5ffdd7e04cf0bf5368ddae90d454b56e756f22f453b60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI4934.tmp
    Filesize

    897KB

    MD5

    6189cdcb92ab9ddbffd95facd0b631fa

    SHA1

    b74c72cefcb5808e2c9ae4ba976fa916ba57190d

    SHA256

    519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

    SHA512

    ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

    Download Submit

  • C:\Windows\Installer\MSI8448.tmp
    Filesize

    187KB

    MD5

    f11e8ec00dfd2d1344d8a222e65fea09

    SHA1

    235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

    SHA256

    775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

    SHA512

    6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

    Download Submit

  • memory/2804-126-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-134-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-99-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-101-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-102-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-103-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-104-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-105-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-106-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-107-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-108-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-109-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-110-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-111-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-113-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-114-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-112-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-115-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-116-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-117-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-118-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-119-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-121-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-120-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-122-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-124-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-123-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-125-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-98-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-127-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-128-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-129-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-130-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-131-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-133-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-100-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-132-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-135-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-136-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-137-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-138-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-139-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-140-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-141-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-142-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-143-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-145-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-146-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-144-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-147-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-148-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-149-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-150-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-151-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-152-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-153-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-154-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-155-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-156-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-158-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-159-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-157-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-160-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-161-0x00007FFB17640000-0x00007FFB17650000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2804-266-0x000001926DC50000-0x000001926DC82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2804-269-0x000001926DC50000-0x000001926DC82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2804-270-0x000001926DC90000-0x000001926DC91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-272-0x000001926DCA0000-0x000001926DCA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-274-0x000001926DCA0000-0x000001926DCA1000-memory.dmp

    Filesize

    4KB

    Download