cb73a9806e39e7c694cd79bbdb0fd3c836ec82810f6ded1852aa1ac9c7b3012c

Analysis

max time kernel
111s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.5MB
MD5

8cef61e2080c38400698bc3265fd7f95
SHA1

a174b7dd8bd1eacfa6a9accd878c16bdc8aa1936
SHA256

cb73a9806e39e7c694cd79bbdb0fd3c836ec82810f6ded1852aa1ac9c7b3012c
SHA512

81781fdb49a3b949725ff508a96eef01599ff90c2fd42f104dda311cfb37dfb90d4aa38d0d4694634c3a469fbdac4c7421a5aee99067536848bbc50bda4658cb
SSDEEP

786432:0TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:02EXFhV0KAcNjxAItj

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp

Executes dropped EXE 1 IoCs

pid	Process
3900	CheatEngine75.tmp

Loads dropped DLL 1 IoCs

pid	Process
3900	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp
3900	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3900	4012	CheatEngine75.exe	86
PID 4012 wrote to memory of 3900	4012	CheatEngine75.exe	86
PID 4012 wrote to memory of 3900	4012	CheatEngine75.exe	86

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\is-3JUJ1.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3JUJ1.tmp\CheatEngine75.tmp" /SL5="$9022E,29019897,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3JUJ1.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
87f9a8a5bb3fa1c60ec9bc4039817f20

SHA1
17c77749db527155c46bea4eeb6dea8b185f50c9

SHA256
db31191966bc7f4e29fa40667c1eb73b6928096080b07bc1fe1c991081195b69

SHA512
638021964475f0c1f5eefe0a6c8a62bf048ad87bcd7dc5729a896c08d91eb88ab80f908a1f4129a7680140ececab0a6f93f95f1379c578acb412305556d59ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B57O1.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B57O1.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
memory/3900-6-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3900-25-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3900-27-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/3900-28-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3900-31-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4012-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4012-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4012-26-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download