Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    10s
  • max time network
    13s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/05/2024, 17:35

General

  • Target

    CheatEngine75P.exe

  • Size

    26.3MB

  • MD5

    124e5ba725b21e8b9efc27a94a7c0e6b

  • SHA1

    0c94aad1ba26b9f49814b949433488c7a2004054

  • SHA256

    bc37bba7efe232feebe23a7152f8a7407e5f868e771a46bf67106e70f295cbc4

  • SHA512

    a5260695ea7a27ad6a060809647fff447f51f8cec19f91568c37f4cc66278547fc41bb7c6b9f390c5d8f11f63df4c267b6e2cc0c56a87b363d9847bd945dfbb6

  • SSDEEP

    786432:4ru6+EORu4HYTd1AEtHYzENmuF7oUNUQWQu7bZmhxZTtU:4coJTd1dtHkENvhoLXQNTu

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp" /SL5="$E0070,26635706,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.patreon.com/oauth2/authorize?response_type=code&client_id=Ee5CBUULyVg9XvCXN5O4Ckb8scfLqvrS7ciLBTFDNOukA_rte9ln17e0ho3NV7ry&state=BxokcEAd4T8lApB6tnHpjG4kv3KWGNQikfCwTcKY&redirect_uri=https%3A%2F%2Fcheatengine.org%2Fpatreon%2FLogin2.php&scope=identity
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff899153cb8,0x7ff899153cc8,0x7ff899153cd8
          4⤵
            PID:2236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
            4⤵
              PID:2460
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4756
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
              4⤵
                PID:2964
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                4⤵
                  PID:2832
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                  4⤵
                    PID:3444
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                    4⤵
                      PID:3056
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:848
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:1076

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    8ff8bdd04a2da5ef5d4b6a687da23156

                    SHA1

                    247873c114f3cc780c3adb0f844fc0bb2b440b6d

                    SHA256

                    09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

                    SHA512

                    5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    1e4ed4a50489e7fc6c3ce17686a7cd94

                    SHA1

                    eac4e98e46efc880605a23a632e68e2c778613e7

                    SHA256

                    fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

                    SHA512

                    5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

                    Filesize

                    206KB

                    MD5

                    f998b8f6765b4c57936ada0bb2eb4a5a

                    SHA1

                    13fb29dc0968838653b8414a125c124023c001df

                    SHA256

                    374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

                    SHA512

                    d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    5KB

                    MD5

                    24566540099cfdbb2f63ecbc70b9c068

                    SHA1

                    a8fa7a78b8ce504f7532294aa237ff684b715e7f

                    SHA256

                    d94e6186ee892792ed377fc902ae50555642e5d775132c6d810200491a7bbcba

                    SHA512

                    1dc7a95e423f4306ace5e1404d42aa766ccb0732b5fa58cf012602b617dcb44c6200ae5d0627fe26ac61d4d7c5b2148c9b189260703bcc5e852ad64d686d7d0a

                  • C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp

                    Filesize

                    3.1MB

                    MD5

                    ce748c0283fa3fdbb974580ad37c6e71

                    SHA1

                    40118bd5160d4b9cfba97d51fd842a9421203111

                    SHA256

                    4f807664e75665e2f4b46183327ce0125a9fc1d4e38f55a42113ecfa5c519847

                    SHA512

                    4beafc83f4808bec3026b158ee11b3de8976e510d24a1b330cd01d9e864c11b11cee56b0f740e1c296be4ee572a3e63529c041503e9c46f17d805953a7d93f00

                  • C:\Users\Admin\AppData\Local\Temp\is-E425G.tmp\pcheck.dll

                    Filesize

                    347KB

                    MD5

                    5663d99464c96a2677bf7a37efbead5d

                    SHA1

                    270520e3b3a30232109887213d25972c37677d3d

                    SHA256

                    cab93d088904265378f94b9a3ad7f2f93480b4c3f645bd1627b259f0cffb5fa8

                    SHA512

                    521ff832f662d4458114d17ffc7ae4e0bc66cbd06d2a676fb02acbf94cb8e86ba62aa7fe3901adac284080cebc5451750b91b7be3dd5422e1ef8a23603141a02

                  • memory/568-0-0x0000000000400000-0x00000000004D8000-memory.dmp

                    Filesize

                    864KB

                  • memory/568-2-0x0000000000401000-0x00000000004B7000-memory.dmp

                    Filesize

                    728KB

                  • memory/4268-6-0x0000000000400000-0x000000000071B000-memory.dmp

                    Filesize

                    3.1MB