399350fa770109605394a96f46edd77f1b3895f8b1ea435c34240a0d40c10b76 | Triage

Analysis

max time kernel
24s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 15:43

Sharing

Report Analysis Logs

General

Target

Cheats.exe
Size

1.8MB
MD5

4f40fe592b8c8dde38b0e56d1c987060
SHA1

73d386dddf6d9aa2ba7347b54d7adb370e35163e
SHA256

399350fa770109605394a96f46edd77f1b3895f8b1ea435c34240a0d40c10b76
SHA512

3c7ae1bc65ca98312e3798f5d41942208e7d3a0bff950ad262b7d63a2c46f485e16aa5e2427896e712ee38dac2815a8e8e6d3a8919a04ef21395adfec65d1e40
SSDEEP

24576:4HnYUXRQmcVNit/+nmGSbhn1s6zUwY4x2FiZlD+DnX7gSf:4HYUXGvbmGSbh1s69YbFifyjcSf

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Cheats.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	Cheats.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	Cheats.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\""	Cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\""	Cheats.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cheats = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheats.exe\""	Cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cheats = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheats.exe\""	Cheats.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

flow	ioc
3	0.tcp.eu.ngrok.io
7	0.tcp.eu.ngrok.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Chrome\updater.exe	Cheats.exe
File opened for modification	C:\Program Files\Chrome\updater.exe	Cheats.exe
File created	C:\Program Files\Chrome\updater.exe	Cheats.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4132	schtasks.exe
1436	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Cheats.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4132	1968	Cheats.exe	81
PID 1968 wrote to memory of 4132	1968	Cheats.exe	81
PID 1968 wrote to memory of 3784	1968	Cheats.exe	83
PID 1968 wrote to memory of 3784	1968	Cheats.exe	83
PID 3784 wrote to memory of 1436	3784	Cheats.exe	84
PID 3784 wrote to memory of 1436	3784	Cheats.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "updater" /tr "C:\Program Files\Chrome\updater.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\Cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheats.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Cheats" /tr "C:\Users\Admin\AppData\Local\Temp\Cheats.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk

Filesize
1010B

MD5
90c504b559a1da14102b25a5a788cd67

SHA1
a4503d4c6072701526940b27ac1baf28a1f51d9f

SHA256
8e47f90431e57fd3ae363dd4299b1e9c9cca3494c5954a5c1baa25cd6c00bf5c

SHA512
36ac5768a253c4c4c300a232ef9fee3465dc7584db4c22e5358bd6fbf6e24dbb82406d73e8a3092d36b003e09b88021a860efea667d867cf0e3e5b34aa2e310e

Download Submit
C:\Users\Admin\AppData\Roaming\RCV.EXE

Filesize
1.3MB

MD5
134400fb7efe11bfc5a01108fcedde82

SHA1
60ade212c51804b3e1b762ec589d23b3639f5baa

SHA256
50ba6f23ecababdab3ce09cd1e93edce9539eb82e2d51c9a38d84cbd896eeef2

SHA512
7699926c51375e62aebf18b5b4a8d6f9f302da3d218eb328872d7e89899ca7eca86a932ad44b285412be0352ffa24ed216e72224015fa6d4bce4c5bfdec9bca6

Download Submit
memory/1968-0-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp

Filesize
8KB

Download
memory/1968-1-0x00000000005A0000-0x000000000077A000-memory.dmp

Filesize
1.9MB

Download
memory/1968-2-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

Filesize
10.8MB

Download
memory/1968-9-0x000000001C250000-0x000000001C3D6000-memory.dmp

Filesize
1.5MB

Download
memory/1968-11-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

Filesize
10.8MB

Download
memory/3784-12-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

Filesize
10.8MB

Download