Overview
overview
10Static
static
10Cheat_Bypa...ss.dll
windows7-x64
1Cheat_Bypa...ss.dll
windows10-2004-x64
1Cheat_Bypa...TA.exe
windows7-x64
10Cheat_Bypa...TA.exe
windows10-2004-x64
10Cheat_Bypa...64.exe
windows7-x64
1Cheat_Bypa...64.exe
windows10-2004-x64
1Cheat_Bypa...ss.dll
windows7-x64
1Cheat_Bypa...ss.dll
windows10-2004-x64
1Cheat_Bypa...TA.exe
windows7-x64
10Cheat_Bypa...TA.exe
windows10-2004-x64
10Cheat_Bypa...64.exe
windows7-x64
1Cheat_Bypa...64.exe
windows10-2004-x64
3PPRE/PPRE.exe
windows7-x64
7PPRE/PPRE.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Project.exe
windows7-x64
7Project.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/de.ps1
windows7-x64
1locales/de.ps1
windows10-2004-x64
1locales/nb.ps1
windows7-x64
1Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 15:07
Behavioral task
behavioral1
Sample
Cheat_Bypass_1.6/Cheat_MTA/Bypass.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Cheat_Bypass_1.6/Cheat_MTA/Bypass.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Cheat_Bypass_1.6/Cheat_MTA/Executor/Xenos64.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Cheat_Bypass_1.6/Cheat_MTA/Executor/Xenos64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Cheat_Bypass_1.6/Cheat_MTA/Bypass.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Cheat_Bypass_1.6/Cheat_MTA/Bypass.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Cheat_Bypass_1.6/Cheat_MTA/Executor/Xenos64.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Cheat_Bypass_1.6/Cheat_MTA/Executor/Xenos64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
PPRE/PPRE.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
PPRE/PPRE.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Project.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Project.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
libGLESv2.dll
Resource
win7-20240215-en
Behavioral task
behavioral29
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
locales/de.ps1
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
locales/de.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral32
Sample
locales/nb.ps1
Resource
win7-20240221-en
General
-
Target
Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
-
Size
748KB
-
MD5
6f165b1eef8c2891e4e9d5e37f9074ec
-
SHA1
4017b1950461c898c5041c3abe08f80ff3ec668b
-
SHA256
36711a12941ffc7194605b9664f452fa3179eacc55b5701fd22414eff087b80f
-
SHA512
2c4c47bb48c87055599ceb0e9ee761de5c33e94bbc58ef3613b008f65b8afaa4522660780a93a9ef553b090d09ef06121e89126627413feca9e6ed7c2cf32bf9
-
SSDEEP
3072:nLJMjbcHDdMwQy1SZ/yUqnLQZr29SB8baRYX2NCancRuXAlSfZEPCNIj2BMmu/Gu:nlMeBzQ6SRInLQZApPAKNMBpPAKNM
Malware Config
Extracted
njrat
0.7d
2024
userdalex2024.ddns.net:4444
1c455b7054bf3cdcc6d194b1216e5458
-
reg_key
1c455b7054bf3cdcc6d194b1216e5458
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3580 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Cheat_MTA.exeLocalQjZdVxezHX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation Cheat_MTA.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation LocalQjZdVxezHX.exe -
Drops startup file 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c455b7054bf3cdcc6d194b1216e5458.exe RuntimeBroker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c455b7054bf3cdcc6d194b1216e5458.exe RuntimeBroker.exe -
Executes dropped EXE 3 IoCs
Processes:
LocalQjZdVxezHX.exeLocalrBYMYNIqYn.exeRuntimeBroker.exepid process 2364 LocalQjZdVxezHX.exe 2848 LocalrBYMYNIqYn.exe 400 RuntimeBroker.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe upx behavioral4/memory/2848-21-0x0000000140000000-0x0000000140027000-memory.dmp upx behavioral4/memory/2848-46-0x0000000140000000-0x0000000140027000-memory.dmp upx behavioral4/memory/2848-49-0x0000000140000000-0x0000000140027000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c455b7054bf3cdcc6d194b1216e5458 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RuntimeBroker.exe\" .." RuntimeBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1c455b7054bf3cdcc6d194b1216e5458 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RuntimeBroker.exe\" .." RuntimeBroker.exe -
Drops file in Program Files directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\Bypass.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 4704 timeout.exe 3392 timeout.exe 2636 timeout.exe 2472 timeout.exe -
Modifies registry class 15 IoCs
Processes:
Xenos64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64 Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe --load %1" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe,-135" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64 Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe --run %1" Xenos64.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
Xenos64.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2332 Xenos64.exe Token: SeLoadDriverPrivilege 2332 Xenos64.exe Token: SeDebugPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe Token: 33 400 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 400 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Cheat_MTA.exeLocalrBYMYNIqYn.execmd.exeLocalQjZdVxezHX.exeRuntimeBroker.exedescription pid process target process PID 4100 wrote to memory of 2364 4100 Cheat_MTA.exe LocalQjZdVxezHX.exe PID 4100 wrote to memory of 2364 4100 Cheat_MTA.exe LocalQjZdVxezHX.exe PID 4100 wrote to memory of 2364 4100 Cheat_MTA.exe LocalQjZdVxezHX.exe PID 4100 wrote to memory of 2848 4100 Cheat_MTA.exe LocalrBYMYNIqYn.exe PID 4100 wrote to memory of 2848 4100 Cheat_MTA.exe LocalrBYMYNIqYn.exe PID 2848 wrote to memory of 3364 2848 LocalrBYMYNIqYn.exe cmd.exe PID 2848 wrote to memory of 3364 2848 LocalrBYMYNIqYn.exe cmd.exe PID 3364 wrote to memory of 4704 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 4704 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 3392 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 3392 3364 cmd.exe timeout.exe PID 2364 wrote to memory of 400 2364 LocalQjZdVxezHX.exe RuntimeBroker.exe PID 2364 wrote to memory of 400 2364 LocalQjZdVxezHX.exe RuntimeBroker.exe PID 2364 wrote to memory of 400 2364 LocalQjZdVxezHX.exe RuntimeBroker.exe PID 3364 wrote to memory of 2636 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 2636 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 2472 3364 cmd.exe timeout.exe PID 3364 wrote to memory of 2472 3364 cmd.exe timeout.exe PID 400 wrote to memory of 3580 400 RuntimeBroker.exe netsh.exe PID 400 wrote to memory of 3580 400 RuntimeBroker.exe netsh.exe PID 400 wrote to memory of 3580 400 RuntimeBroker.exe netsh.exe PID 3364 wrote to memory of 2332 3364 cmd.exe Xenos64.exe PID 3364 wrote to memory of 2332 3364 cmd.exe Xenos64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe"C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalQjZdVxezHX.exe"C:\Users\Admin\AppData\LocalQjZdVxezHX.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\6AFF.tmp\6B00.bat C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Executor\Xenos64.exe"Executor\Xenos64.exe"4⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalQjZdVxezHX.exeFilesize
634KB
MD54e560a1285920589d854042360fab9c8
SHA1010c6ce1a51ea5a67423e4b37af50effefd6a91b
SHA256ff74d85d8ebff1e82b9e32b8f6b6b5a821582c4da74310e7873854cb050c5ff1
SHA5129ed4c57a4489fe00c43a7ef5de7d53702aa18f20c1fd538dd7d20705bfef134ccad2e8d581d6e42e36ab8adf6053b9016a0884bb145b7cdbb3b256ac1f9530bd
-
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp\6AFF.tmp\6B00.batFilesize
774B
MD59968d05364877e87833258601f604e38
SHA18cde606096a11883bf13b8617b9e15e1fb8144d6
SHA256303e8297945e14ac06c08ddaca5f2109b67581816189d5c8d761550db76289a7
SHA512249f557dc4220e4b09ddccbcfd2ef7a94f53c88ff34eeb494fe1c1bfaf77a8f397822ef85872f0805a249e49dd121fd176b382859a61b92e5b9392dae6d6fb14
-
C:\Users\Admin\AppData\LocalrBYMYNIqYn.exeFilesize
55KB
MD5530d8b420991e13d1a66f8e4322066a0
SHA1b09596914770129167a3bdce88b78d7945f31105
SHA256b08506e267fd78912a8c962fcb23097e26ae02222668145b0c2d32cc4896e384
SHA51225a45e65113d3f754b57fa3fc0c08c93904e83063390c747c2f53a35c4ba1248157b091cd9a7934b2596e20d5ca5801daa8c9788f30e9056fef7fef8ae87b914
-
memory/400-63-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/400-61-0x0000000009090000-0x000000000909A000-memory.dmpFilesize
40KB
-
memory/400-48-0x00000000090E0000-0x0000000009172000-memory.dmpFilesize
584KB
-
memory/400-45-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/2332-65-0x0000000000050000-0x0000000000150000-memory.dmpFilesize
1024KB
-
memory/2332-62-0x0000000002250000-0x0000000002445000-memory.dmpFilesize
2.0MB
-
memory/2332-60-0x0000000000050000-0x0000000000150000-memory.dmpFilesize
1024KB
-
memory/2364-26-0x0000000000B20000-0x0000000000BC6000-memory.dmpFilesize
664KB
-
memory/2364-30-0x0000000003060000-0x000000000306C000-memory.dmpFilesize
48KB
-
memory/2364-31-0x0000000005BB0000-0x0000000006154000-memory.dmpFilesize
5.6MB
-
memory/2364-44-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/2364-28-0x0000000005450000-0x00000000054EC000-memory.dmpFilesize
624KB
-
memory/2364-25-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/2848-21-0x0000000140000000-0x0000000140027000-memory.dmpFilesize
156KB
-
memory/2848-49-0x0000000140000000-0x0000000140027000-memory.dmpFilesize
156KB
-
memory/2848-46-0x0000000140000000-0x0000000140027000-memory.dmpFilesize
156KB
-
memory/4100-23-0x00007FFDEEDE0000-0x00007FFDEF781000-memory.dmpFilesize
9.6MB
-
memory/4100-0-0x00007FFDEEDE0000-0x00007FFDEF781000-memory.dmpFilesize
9.6MB
-
memory/4100-10-0x00007FFDEEDE0000-0x00007FFDEF781000-memory.dmpFilesize
9.6MB
-
memory/4100-2-0x0000000000B80000-0x0000000000B90000-memory.dmpFilesize
64KB