bc37bba7efe232feebe23a7152f8a7407e5f868e771a46bf67106e70f295cbc4

Analysis

max time kernel
10s
max time network
13s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27/05/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75P.exe
Size

26.3MB
MD5

124e5ba725b21e8b9efc27a94a7c0e6b
SHA1

0c94aad1ba26b9f49814b949433488c7a2004054
SHA256

bc37bba7efe232feebe23a7152f8a7407e5f868e771a46bf67106e70f295cbc4
SHA512

a5260695ea7a27ad6a060809647fff447f51f8cec19f91568c37f4cc66278547fc41bb7c6b9f390c5d8f11f63df4c267b6e2cc0c56a87b363d9847bd945dfbb6
SSDEEP

786432:4ru6+EORu4HYTd1AEtHYzENmuF7oUNUQWQu7bZmhxZTtU:4coJTd1dtHkENvhoLXQNTu

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4268	CheatEngine75P.tmp

Loads dropped DLL 1 IoCs

pid	Process
4268	CheatEngine75P.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4756	msedge.exe
4756	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 4268	568	CheatEngine75P.exe	78
PID 568 wrote to memory of 4268	568	CheatEngine75P.exe	78
PID 568 wrote to memory of 4268	568	CheatEngine75P.exe	78
PID 4268 wrote to memory of 3092	4268	CheatEngine75P.tmp	79
PID 4268 wrote to memory of 3092	4268	CheatEngine75P.tmp	79
PID 3092 wrote to memory of 2236	3092	msedge.exe	80
PID 3092 wrote to memory of 2236	3092	msedge.exe	80
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 2460	3092	msedge.exe	81
PID 3092 wrote to memory of 4756	3092	msedge.exe	82
PID 3092 wrote to memory of 4756	3092	msedge.exe	82
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83
PID 3092 wrote to memory of 2964	3092	msedge.exe	83

C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp" /SL5="$E0070,26635706,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.patreon.com/oauth2/authorize?response_type=code&client_id=Ee5CBUULyVg9XvCXN5O4Ckb8scfLqvrS7ciLBTFDNOukA_rte9ln17e0ho3NV7ry&state=BxokcEAd4T8lApB6tnHpjG4kv3KWGNQikfCwTcKY&redirect_uri=https%3A%2F%2Fcheatengine.org%2Fpatreon%2FLogin2.php&scope=identity
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff899153cb8,0x7ff899153cc8,0x7ff899153cd8
      4⤵
      PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
      4⤵
      PID:2964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:2832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ff8bdd04a2da5ef5d4b6a687da23156

SHA1
247873c114f3cc780c3adb0f844fc0bb2b440b6d

SHA256
09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

SHA512
5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e4ed4a50489e7fc6c3ce17686a7cd94

SHA1
eac4e98e46efc880605a23a632e68e2c778613e7

SHA256
fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

SHA512
5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24566540099cfdbb2f63ecbc70b9c068

SHA1
a8fa7a78b8ce504f7532294aa237ff684b715e7f

SHA256
d94e6186ee892792ed377fc902ae50555642e5d775132c6d810200491a7bbcba

SHA512
1dc7a95e423f4306ace5e1404d42aa766ccb0732b5fa58cf012602b617dcb44c6200ae5d0627fe26ac61d4d7c5b2148c9b189260703bcc5e852ad64d686d7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp

Filesize
3.1MB

MD5
ce748c0283fa3fdbb974580ad37c6e71

SHA1
40118bd5160d4b9cfba97d51fd842a9421203111

SHA256
4f807664e75665e2f4b46183327ce0125a9fc1d4e38f55a42113ecfa5c519847

SHA512
4beafc83f4808bec3026b158ee11b3de8976e510d24a1b330cd01d9e864c11b11cee56b0f740e1c296be4ee572a3e63529c041503e9c46f17d805953a7d93f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E425G.tmp\pcheck.dll

Filesize
347KB

MD5
5663d99464c96a2677bf7a37efbead5d

SHA1
270520e3b3a30232109887213d25972c37677d3d

SHA256
cab93d088904265378f94b9a3ad7f2f93480b4c3f645bd1627b259f0cffb5fa8

SHA512
521ff832f662d4458114d17ffc7ae4e0bc66cbd06d2a676fb02acbf94cb8e86ba62aa7fe3901adac284080cebc5451750b91b7be3dd5422e1ef8a23603141a02

Download Submit
memory/568-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/568-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4268-6-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download