Overview

overview

10

Static

static

3

o_0/cheeto.exe

windows7-x64

8

o_0/cheeto.exe

windows10-2004-x64

Resubmissions

10-03-2024 16:48

240310-vbf5fagg3w 8

10-03-2024 16:47

240310-vanswsge23 10

Analysis

  • max time kernel
    59s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    o_0/cheeto.exe

  • Size

    2.7MB

  • MD5

    f6605997c91549e4186fb4d0034c66e4

  • SHA1

    4d4fe16b3c8631031c705c80d533e7985746268e

  • SHA256

    1f380cbfc19c54d243e0e970ddbbb0f448f26ac7c2eef81d1d3ede19cf41a9a6

  • SHA512

    86aea69c8f65912922da5b9347d6031a666cb083bfc3935d92a16a007ba2598bd3516dd7658c73e230a1cf8ec2d995ba3cfdbbe1c4e25d62dd7a6cd83909663c

  • SSDEEP

    49152:qjgoMlcWYfUFkMpWMONs8cWr2HQ/kLvPlbhVypjalf:kGlcNfekMpWM4c+2Hok7VypWlf

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:420
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\ProgramData\yqrsoeqdzhrx\qcoffpfilryw.exe
      C:\ProgramData\yqrsoeqdzhrx\qcoffpfilryw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2424
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
          PID:1620
    • C:\Windows\system32\lsass.exe
      C:\Windows\system32\lsass.exe
      1⤵
        PID:480
      • C:\Users\Admin\AppData\Local\Temp\o_0\cheeto.exe
        "C:\Users\Admin\AppData\Local\Temp\o_0\cheeto.exe"
        1⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
            • Drops file in Windows directory
            PID:2660
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:2500
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:2672
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:2616
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:2472
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:2548
        • C:\Windows\system32\dialer.exe
          C:\Windows\system32\dialer.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3064
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "SGRRXHHC"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "SGRRXHHC" binpath= "C:\ProgramData\yqrsoeqdzhrx\qcoffpfilryw.exe" start= "auto"
          2⤵
          • Launches sc.exe
          PID:2372
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          2⤵
          • Launches sc.exe
          PID:1372
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "SGRRXHHC"
          2⤵
          • Launches sc.exe
          PID:1216

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \ProgramData\yqrsoeqdzhrx\qcoffpfilryw.exe
        Filesize

        2.7MB

        MD5

        f6605997c91549e4186fb4d0034c66e4

        SHA1

        4d4fe16b3c8631031c705c80d533e7985746268e

        SHA256

        1f380cbfc19c54d243e0e970ddbbb0f448f26ac7c2eef81d1d3ede19cf41a9a6

        SHA512

        86aea69c8f65912922da5b9347d6031a666cb083bfc3935d92a16a007ba2598bd3516dd7658c73e230a1cf8ec2d995ba3cfdbbe1c4e25d62dd7a6cd83909663c

        Download Submit

      • \ProgramData\yqrsoeqdzhrx\qcoffpfilryw.exe
        Filesize

        1.8MB

        MD5

        162026509a52ba8f3c3810ca08ed012e

        SHA1

        0ad7688dfe85c89b7c826503cad315058ceaa354

        SHA256

        dc00b0571ae993e56c8210532d6ba04891427913b9ba9a1a7e9478b3e32b67cc

        SHA512

        7ae9bdd748bb32354f9f45c818580920c73a07d389a4964e68ea36c0aa57e792f58fee57220de40aaadfd16cea40d384568f9e5e2945c21ebbf9782dc4267380

        Download Submit

      • memory/420-31-0x0000000077B81000-0x0000000077B82000-memory.dmp

        Filesize

        4KB

        Download

      • memory/420-28-0x00000000008E0000-0x000000000090B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/420-25-0x00000000008B0000-0x00000000008D4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/420-30-0x000007FEBF6C0000-0x000007FEBF6D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/420-26-0x00000000008B0000-0x00000000008D4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/420-34-0x0000000037B70000-0x0000000037B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/420-69-0x00000000008E0000-0x000000000090B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/464-43-0x00000000001F0000-0x000000000021B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/1448-11-0x0000000002450000-0x00000000024D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1448-7-0x00000000023A0000-0x00000000023A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1448-6-0x0000000002450000-0x00000000024D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1448-5-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1448-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1448-4-0x000000001B190000-0x000000001B472000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1448-9-0x0000000002450000-0x00000000024D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1448-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1448-8-0x0000000002450000-0x00000000024D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-61-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-64-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-56-0x0000000019AB0000-0x0000000019D92000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1620-59-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1620-71-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-77-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1620-78-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-79-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-63-0x0000000000930000-0x0000000000938000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1620-60-0x00000000009D0000-0x0000000000A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1620-80-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2596-49-0x0000000000330000-0x000000000035B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2596-66-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2596-55-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2596-57-0x0000000077B30000-0x0000000077CD9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2596-50-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2596-52-0x0000000037B70000-0x0000000037B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2596-51-0x000007FEBF6C0000-0x000007FEBF6D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2596-62-0x0000000004440000-0x0000000004441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-83-0x0000000004440000-0x0000000004441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-65-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2596-76-0x0000000077B30000-0x0000000077CD9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2596-54-0x0000000077B30000-0x0000000077CD9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2596-75-0x0000000000330000-0x000000000035B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2596-74-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2596-72-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/3064-18-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/3064-20-0x0000000077B30000-0x0000000077CD9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3064-67-0x0000000077B30000-0x0000000077CD9000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3064-21-0x0000000077A10000-0x0000000077B2F000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3064-16-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/3064-15-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/3064-13-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/3064-14-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/3064-22-0x0000000140000000-0x000000014002B000-memory.dmp

        Filesize

        172KB

        Download