2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Cheat.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Cheat.exe

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 3 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exe

pid process

1084 HDAudio.exe
3664 HDAudio.exe
3872 HDAudio.exe

pid	process
1084	HDAudio.exe
3664	HDAudio.exe
3872	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3948 schtasks.exe

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

pid	process
3948	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

HDAudio.exe

description	pid	process
Token: SeDebugPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe
Token: 33	1084	HDAudio.exe
Token: SeIncBasePriorityPrivilege	1084	HDAudio.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Cheat.exeHDAudio.exe

description	pid	process	target process
PID 4912 wrote to memory of 1084	4912	Cheat.exe	HDAudio.exe
PID 4912 wrote to memory of 1084	4912	Cheat.exe	HDAudio.exe
PID 4912 wrote to memory of 1084	4912	Cheat.exe	HDAudio.exe
PID 1084 wrote to memory of 3224	1084	HDAudio.exe	schtasks.exe
PID 1084 wrote to memory of 3224	1084	HDAudio.exe	schtasks.exe
PID 1084 wrote to memory of 3224	1084	HDAudio.exe	schtasks.exe
PID 1084 wrote to memory of 3948	1084	HDAudio.exe	schtasks.exe
PID 1084 wrote to memory of 3948	1084	HDAudio.exe	schtasks.exe
PID 1084 wrote to memory of 3948	1084	HDAudio.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\HDAudio.exe
  "C:\Windows\HDAudio.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:3948

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HDAudio.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Windows\HDAudio.exe

Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
memory/1084-14-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1084-13-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1084-18-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1084-19-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1084-24-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3664-21-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3664-22-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3664-23-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/3664-26-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4912-2-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4912-12-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4912-0-0x0000000075492000-0x0000000075493000-memory.dmp

Filesize
4KB

Download
memory/4912-1-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads