Overview

overview

10

Static

static

1

CheatEngine75.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CheatEngine75.exe

  • Size

    28.5MB

  • Sample

    240406-ahdmnsfg88

  • MD5

    1e2b14c4f25f109717f8cab97a050bf6

  • SHA1

    188cabf0640e0203fd9c2612586b78ce173f4fd7

  • SHA256

    2cd9a8ef0b8cb972210c0ff94c510034435771420cf404d8db55ab2d1083299f

  • SHA512

    2783e9c4254b04ba35114b673a62d48b720dab2cbd1e2419bc69581d40112a0a7c20531aa47e78d56f1886eb337f9151d1fb969ab26999b186be33254a3c717b

  • SSDEEP

    786432:3TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH0MU:32EXFhV0KAcNjxAItj0MU

Score
10/10
zgratbootkitdiscoveryevasionpersistenceratspywarestealer

Malware Config

Targets

    • Target

      CheatEngine75.exe

    • Size

      28.5MB

    • MD5

      1e2b14c4f25f109717f8cab97a050bf6

    • SHA1

      188cabf0640e0203fd9c2612586b78ce173f4fd7

    • SHA256

      2cd9a8ef0b8cb972210c0ff94c510034435771420cf404d8db55ab2d1083299f

    • SHA512

      2783e9c4254b04ba35114b673a62d48b720dab2cbd1e2419bc69581d40112a0a7c20531aa47e78d56f1886eb337f9151d1fb969ab26999b186be33254a3c717b

    • SSDEEP

      786432:3TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH0MU:32EXFhV0KAcNjxAItj0MU

    Score
    10/10
    zgratbootkitdiscoveryevasionpersistenceratspywarestealer

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks