Analysis
-
max time kernel
24s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
Cheats.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Cheats.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Cheats.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Cheats.exe
Resource
win11-20240611-en
General
-
Target
Cheats.exe
-
Size
1.8MB
-
MD5
4f40fe592b8c8dde38b0e56d1c987060
-
SHA1
73d386dddf6d9aa2ba7347b54d7adb370e35163e
-
SHA256
399350fa770109605394a96f46edd77f1b3895f8b1ea435c34240a0d40c10b76
-
SHA512
3c7ae1bc65ca98312e3798f5d41942208e7d3a0bff950ad262b7d63a2c46f485e16aa5e2427896e712ee38dac2815a8e8e6d3a8919a04ef21395adfec65d1e40
-
SSDEEP
24576:4HnYUXRQmcVNit/+nmGSbhn1s6zUwY4x2FiZlD+DnX7gSf:4HYUXGvbmGSbh1s69YbFifyjcSf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Cheats.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Cheats.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk Cheats.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk Cheats.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\"" Cheats.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Program Files\\Chrome\\updater.exe\"" Cheats.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cheats = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheats.exe\"" Cheats.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cheats = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheats.exe\"" Cheats.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 0.tcp.eu.ngrok.io 7 0.tcp.eu.ngrok.io -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Chrome\updater.exe Cheats.exe File opened for modification C:\Program Files\Chrome\updater.exe Cheats.exe File created C:\Program Files\Chrome\updater.exe Cheats.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4132 schtasks.exe 1436 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 Cheats.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1968 wrote to memory of 4132 1968 Cheats.exe 81 PID 1968 wrote to memory of 4132 1968 Cheats.exe 81 PID 1968 wrote to memory of 3784 1968 Cheats.exe 83 PID 1968 wrote to memory of 3784 1968 Cheats.exe 83 PID 3784 wrote to memory of 1436 3784 Cheats.exe 84 PID 3784 wrote to memory of 1436 3784 Cheats.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "updater" /tr "C:\Program Files\Chrome\updater.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\Cheats.exe"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Cheats" /tr "C:\Users\Admin\AppData\Local\Temp\Cheats.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1436
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1010B
MD590c504b559a1da14102b25a5a788cd67
SHA1a4503d4c6072701526940b27ac1baf28a1f51d9f
SHA2568e47f90431e57fd3ae363dd4299b1e9c9cca3494c5954a5c1baa25cd6c00bf5c
SHA51236ac5768a253c4c4c300a232ef9fee3465dc7584db4c22e5358bd6fbf6e24dbb82406d73e8a3092d36b003e09b88021a860efea667d867cf0e3e5b34aa2e310e
-
Filesize
1.3MB
MD5134400fb7efe11bfc5a01108fcedde82
SHA160ade212c51804b3e1b762ec589d23b3639f5baa
SHA25650ba6f23ecababdab3ce09cd1e93edce9539eb82e2d51c9a38d84cbd896eeef2
SHA5127699926c51375e62aebf18b5b4a8d6f9f302da3d218eb328872d7e89899ca7eca86a932ad44b285412be0352ffa24ed216e72224015fa6d4bce4c5bfdec9bca6