Overview

overview

10

Static

static

1

CheatEngine75 (1).exe

windows11-21h2-x64

10

Resubmissions

20-04-2024 11:27

240420-nkeveafd74 10

20-04-2024 11:25

240420-njc97aga2t 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CheatEngine75 (1).exe

  • Size

    28.5MB

  • Sample

    240420-nkeveafd74

  • MD5

    1e2b14c4f25f109717f8cab97a050bf6

  • SHA1

    188cabf0640e0203fd9c2612586b78ce173f4fd7

  • SHA256

    2cd9a8ef0b8cb972210c0ff94c510034435771420cf404d8db55ab2d1083299f

  • SHA512

    2783e9c4254b04ba35114b673a62d48b720dab2cbd1e2419bc69581d40112a0a7c20531aa47e78d56f1886eb337f9151d1fb969ab26999b186be33254a3c717b

  • SSDEEP

    786432:3TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH0MU:32EXFhV0KAcNjxAItj0MU

Score
10/10
zgratbootkitdiscoveryevasionpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      CheatEngine75 (1).exe

    • Size

      28.5MB

    • MD5

      1e2b14c4f25f109717f8cab97a050bf6

    • SHA1

      188cabf0640e0203fd9c2612586b78ce173f4fd7

    • SHA256

      2cd9a8ef0b8cb972210c0ff94c510034435771420cf404d8db55ab2d1083299f

    • SHA512

      2783e9c4254b04ba35114b673a62d48b720dab2cbd1e2419bc69581d40112a0a7c20531aa47e78d56f1886eb337f9151d1fb969ab26999b186be33254a3c717b

    • SSDEEP

      786432:3TCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH0MU:32EXFhV0KAcNjxAItj0MU

    Score
    10/10
    zgratbootkitdiscoveryevasionpersistenceratspywarestealertrojan

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Query Registry

6
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks