Resubmissions
16-06-2024 15:54
240616-tcj22stcmm 9Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 15:54
Behavioral task
behavioral1
Sample
cheat.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
cheat.exe
Resource
win10v2004-20240508-en
General
-
Target
cheat.exe
-
Size
4.1MB
-
MD5
a20e247d5dbab2a84b718801dec0025e
-
SHA1
04d6c781da09b237068b1ed7054003a14833ea3b
-
SHA256
74c5383e22aa8ae4e9941fd5d431c80b617f583e4158647c807d5d6188d7cced
-
SHA512
ec9728e9344563a74c2a906f3b289c6383bc2f564cf722170f3d3fdbfd433790b4811c7f3e8d3e9de5b16b4618ed8244eb055bf01e1ffc49fd5ad477af73011c
-
SSDEEP
98304:IdlAOJ6MIcGcPJt4IEKNILJpCHFBPmjE2K/pu9mfhVlNNFQ:yqOYJcBP/4TKNItpCTmjERRu9enNI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cheat.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cheat.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
cheat.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" cheat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cheat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cheat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cheat.exe -
Processes:
resource yara_rule behavioral1/memory/1044-0-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-3-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-4-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-2-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-6-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-8-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-7-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-5-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-10-0x000000013FE40000-0x00000001408FA000-memory.dmp themida behavioral1/memory/1044-12-0x000000013FE40000-0x00000001408FA000-memory.dmp themida -
Processes:
cheat.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cheat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
cheat.exepid process 1044 cheat.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
cheat.exepid process 1044 cheat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cheat.exedescription pid process Token: SeLoadDriverPrivilege 1044 cheat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cheat.exedescription pid process target process PID 1044 wrote to memory of 2572 1044 cheat.exe WerFault.exe PID 1044 wrote to memory of 2572 1044 cheat.exe WerFault.exe PID 1044 wrote to memory of 2572 1044 cheat.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1044 -s 8802⤵PID:2572