93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

Resubmissions

12/05/2024, 14:04

240512-rdl7pahf5v 8

12/05/2024, 14:00

240512-ra8aracf35 6

Analysis

max time kernel
162s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.5MB
MD5

0fa34a970c3defa54dbc6b725e03b83d
SHA1

44fa4a2d4d3fc9259fb03324eb390def62ff786a
SHA256

93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a
SHA512

2ec36599bae79365cfb02edc475ca416b4cd85c9cf349b0cc548e145a10fb22b2fae5ce504e76725e6832028cda3fd6b2bec4adfb7dbf49738e952651a5b7e90
SSDEEP

786432:yTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:y2EXFhV0KAcNjxAItj

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

Executes dropped EXE 1 IoCs

pid	Process
4836	CheatEngine75.tmp

Loads dropped DLL 1 IoCs

pid	Process
4836	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp
4836	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4836	4296	CheatEngine75.exe	83
PID 4296 wrote to memory of 4836	4296	CheatEngine75.exe	83
PID 4296 wrote to memory of 4836	4296	CheatEngine75.exe	83

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\is-25I84.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-25I84.tmp\CheatEngine75.tmp" /SL5="$80182,29019897,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0H57G.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0H57G.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-25I84.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
14e34c5e0e3c320b904b9500e8fa96cf

SHA1
47cf88e6ddc1683135194b9d8b1cc32c78277f5e

SHA256
7398bd01e78df0d69169402f7fecf781c23f61127ba68290d146582ebadbf2ef

SHA512
6d99202dafd3209622e6fa217407bccd0b4157550d873bff36f06a279c499c9e98cb01d235c337d76d86c9e3c369d89712450fe1353eb18b2b7c108abd67ad59

Download Submit
memory/4296-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4296-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4296-27-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4836-6-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4836-25-0x0000000003610000-0x0000000003750000-memory.dmp

Filesize
1.2MB

Download
memory/4836-26-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4836-28-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download