Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
CSGO cheat Injector.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CSGO cheat Injector.exe
Resource
win10v2004-20240508-en
General
-
Target
CSGO cheat Injector.exe
-
Size
3.3MB
-
MD5
01b49aed665fd529003ad01832496c87
-
SHA1
ab94f91fdf173a9c3fb54a0a34d4184199c14ed5
-
SHA256
6c9e49b58cb313e27a026efdd33dbf86867a658bf6b2f3668f7c11b1fd4aefe0
-
SHA512
d0ecd2442162edb04b006d0f0877e5dc5c7d5a777f22a5a4997d0650c429a6b39d73b6fbbc2d6b085e65610aca0b93b0489f96da4d28334e0cf17a847c00a39a
-
SSDEEP
98304:t7Iviz/27qWGq/TzuqCDl2Ptao7jcEZTfGNK3:hIviq75/Tzuf2Z6NK3
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3704 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CDS.execrypted.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation CDS.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation crypted.exe -
Drops startup file 2 IoCs
Processes:
svchos.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bab42d001896286dbfc0834be2d10b9f.exe svchos.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bab42d001896286dbfc0834be2d10b9f.exe svchos.exe -
Executes dropped EXE 3 IoCs
Processes:
CDS.execrypted.exesvchos.exepid process 4588 CDS.exe 468 crypted.exe 3232 svchos.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 4588 CDS.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CSGO cheat Injector.exesvchos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" CSGO cheat Injector.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bab42d001896286dbfc0834be2d10b9f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchos.exe\" .." svchos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bab42d001896286dbfc0834be2d10b9f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchos.exe\" .." svchos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 4588 CDS.exe 4588 CDS.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
AUDIODG.EXEsvchos.exedescription pid process Token: 33 1676 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1676 AUDIODG.EXE Token: SeDebugPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe Token: 33 3232 svchos.exe Token: SeIncBasePriorityPrivilege 3232 svchos.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 4588 CDS.exe 4588 CDS.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CSGO cheat Injector.exeCDS.execrypted.exesvchos.exedescription pid process target process PID 4804 wrote to memory of 4588 4804 CSGO cheat Injector.exe CDS.exe PID 4804 wrote to memory of 4588 4804 CSGO cheat Injector.exe CDS.exe PID 4804 wrote to memory of 4588 4804 CSGO cheat Injector.exe CDS.exe PID 4588 wrote to memory of 468 4588 CDS.exe crypted.exe PID 4588 wrote to memory of 468 4588 CDS.exe crypted.exe PID 4588 wrote to memory of 468 4588 CDS.exe crypted.exe PID 468 wrote to memory of 3232 468 crypted.exe svchos.exe PID 468 wrote to memory of 3232 468 crypted.exe svchos.exe PID 468 wrote to memory of 3232 468 crypted.exe svchos.exe PID 3232 wrote to memory of 3704 3232 svchos.exe netsh.exe PID 3232 wrote to memory of 3704 3232 svchos.exe netsh.exe PID 3232 wrote to memory of 3704 3232 svchos.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CSGO cheat Injector.exe"C:\Users\Admin\AppData\Local\Temp\CSGO cheat Injector.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchos.exe"C:\Users\Admin\AppData\Local\Temp\svchos.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchos.exe" "svchos.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x45c 0x3281⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3456,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngFilesize
2KB
MD5340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddFilesize
13KB
MD53e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datFilesize
86KB
MD5dcdd76e80973787b5db380543e380f8a
SHA18a6b881fc535bc493bc0f225a6f47c6a696568c0
SHA256aede243661ad8863a7c91ab57e20dfbe1fafd7ea5b2df0482c08da7b96501810
SHA51261296aea1c20f96efeb10368f5f2f8ed56466fa4e7c2bdac8a7c20c51c8aeae1e8f336b813408e63eb3f027d45b8d1b4e7b9389dc0710c4b2ef6024dbe9ee165
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
86KB
MD56b22cfdf10b292df5e08bd63c97f4e66
SHA1951b3751f3b84fdc09d66674a33edd8236dd1624
SHA256580440de3ad0aa5b5a55451fefd38ce19597dd2f50ff09e13e10bf98a0e45555
SHA5129f109cce75668db583ffef6be7cf05eb90c468c4911553f10dc9514d7c82afe48fde48ddf2d8d6ab8a7a46f14f345966630430d0295a8721591abd27c2dd982c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsFilesize
5B
MD568934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25