Overview

overview

3

Static

static

3

SkechWare ....1.exe

windows7-x64

1

SkechWare ....1.exe

windows10-2004-x64

1

Resubmissions

07/06/2024, 15:52

240607-ta18jsaf7v 3

07/06/2024, 15:50

240607-s9w77saf5x 3

Analysis

  • max time kernel
    53s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SkechWare CS2 Free External Cheat v1.1.exe

  • Size

    418KB

  • MD5

    935bea237e54b4b6c9c0cdccb678e685

  • SHA1

    5426b3863af75f75146090dbba646f2c4c893912

  • SHA256

    71c59c197cfad1bc201c5754b950b87c40daa54177e3df330e540efc848259eb

  • SHA512

    c5f994345f4f18a053578599976aeb8d3f6d1e845e1cc08633d3d0e31c86c5896f9e85d8abb3550dfb97b2039899fa60f423cea9fd952ad43c52589959956fd6

  • SSDEEP

    6144:puDxWW1WxJTINHAQ2Fy7P2Zl3K2TVxM/6SlaWEMwKUIKVrn2os4Rto9FgQQQK0Nm:4xBuk90rPeAv2yY5Lvnr3

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SkechWare CS2 Free External Cheat v1.1.exe
    "C:\Users\Admin\AppData\Local\Temp\SkechWare CS2 Free External Cheat v1.1.exe"
    1⤵
      PID:4364
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.0.2035687415\671826445" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72506d2c-180a-4232-906e-06bd1671356b} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 1852 239d150de58 gpu
          3⤵
            PID:4336
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.1.507186423\543787487" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cabf05c-9be2-4e93-b0c7-6a9f85da84ac} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 2420 239c4889f58 socket
            3⤵
            • Checks processor information in registry
            PID:5044
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.2.1007367851\524819847" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2872 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2b8f91d-510b-4f4c-9f5e-da475c9e9e81} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 2980 239d3ce3e58 tab
            3⤵
              PID:2496
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.3.655472520\2044621660" -childID 2 -isForBrowser -prefsHandle 4232 -prefMapHandle 4228 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {053fefbe-0e97-48ab-8b46-0b79655be6ff} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 4244 239d6822b58 tab
              3⤵
                PID:3976
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.4.98654541\2027640496" -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5084 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e093e81-a63a-4326-a8d1-7b63d855ba7a} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 5140 239d8279b58 tab
                3⤵
                  PID:1816
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.5.1719939550\421167921" -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be30a2d1-0fed-4213-83be-67964879edf6} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 5376 239d827b058 tab
                  3⤵
                    PID:4856
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1404.6.2016741040\311529396" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7e2dd7b-82f3-4e54-8814-f07d43198ec5} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" 5272 239d827ad58 tab
                    3⤵
                      PID:2796

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  28KB

                  MD5

                  76ef2f8ef4cfd18c36a1b4620f406b4d

                  SHA1

                  119f062f8f737678cd68c5b0a7ab3de1c746aba2

                  SHA256

                  f78c3c70aa32ce2b8a5788e09b9b7e569a15e5fb0fc471071cfbe0ae1dfdfe94

                  SHA512

                  4f12796965c474f0adb9118a2cf0f89f62fd55a81f6645a8532d39e6efd634b3af68a99d8f6e5ad5eb01ae4b616c8864f7797e028b23c2c19d8ede4acd62e21c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  60368425451b15ab486b67ac0daeedee

                  SHA1

                  8fcea7ac05579bc18c134cc53516e133136f9032

                  SHA256

                  1c17819d9a9434aced7707c6669a68664bfb46a04b60a488fd82321773cba7e3

                  SHA512

                  e3f98ac0a782f468250fd65f894a4bcfce7a5e0d7d8b67e62a7b94786938b1af636989787bc18bd4c96c3b1f54fe37a7a872e644062fec7c85cf57f0d1339a53

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  b096a0cd684545f5f6eb4ef65ff937e7

                  SHA1

                  b02b8d62a34310f60869e3ce955241bece4c810a

                  SHA256

                  b8eabb228ac3d44e0cf2b10e1b6f2294b5d6cf215e1eba7176cd64b4fe15c736

                  SHA512

                  8250682aad9c3a42b0ff505ddd8f1acd0fa797d9e7c8cac47b1746ec7ac7fe97f9094abd9dc8ee6831ceb8b206d6a481b049665654c63de92a4cacf371c9ba9d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp
                  Filesize

                  259B

                  MD5

                  c8dc58eff0c029d381a67f5dca34a913

                  SHA1

                  3576807e793473bcbd3cf7d664b83948e3ec8f2d

                  SHA256

                  4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                  SHA512

                  b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  b0495ba681bcb5852dc4d2d73a02011b

                  SHA1

                  fd9649c9238a2e2c3df5884ea3e16ecd21ff6028

                  SHA256

                  386a41737b85c4e76a348c64b1115a5ff4763fd0cb238e01112e5058f24fb152

                  SHA512

                  309138ffcdfad2cf0c3b76458bead22da3f7c78213979e4bff8dd28e524b34310a8ee5f06c0b65e05f83fa39d7888ee0f67a7c69992e176ffec17865ec18520a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
                  Filesize

                  914B

                  MD5

                  a10235db39a6b72f56eae7aaad6df41f

                  SHA1

                  c8847642fa4fdaafe9e09bafc86f03a1c03d5584

                  SHA256

                  bb85e5aeed66301345a532d3a81456ace9fcbd7e26c0b7a189f2635256b9f80e

                  SHA512

                  966ac55cbec1e9838b8aa8af2edebec9fe5e046674678821085f2856c706ff3dccfaf8a2639a36434db0536a5dc30d70ad097ae7bc0e1c22c165a397cf777ca7

                  Download Submit