1c10cedba382981455f0fc1b5ad2f98798478837ee622fa11097a80be7b967f4

Analysis

max time kernel
140s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install/CheatEngine67.exe
Size

11.6MB
MD5

60bc92a679c5864ff88c777855242eff
SHA1

f9af39a0983b5878451d9d365da2ec8d51572e54
SHA256

a4676e3fb1d1514d631e1ccb0a82d374068a43c43bf5d4ebf48c5be1f46c7b0e
SHA512

49d54912ab2b11ed2ad5fbbf007b9d6e0aba02937ed21489bd1ad7c57f278764878e4f2ff60317896e627e1cfa470c4acefd86061f9e6072137246aa5c0f78ec
SSDEEP

196608:MkU/fsNbpUGJJ177vcsCQypVRUBSCwBpvvDMs4VMY0I+RSIxBauMTTAraX:MXfsgGV3TCdpV6BPCpDMfXEEuNaX

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	CheatEngine67.tmp

Loads dropped DLL 4 IoCs

pid	Process
1832	CheatEngine67.exe
2680	CheatEngine67.tmp
2680	CheatEngine67.tmp
2680	CheatEngine67.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine67.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine67.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	CheatEngine67.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30
PID 1832 wrote to memory of 2680	1832	CheatEngine67.exe	30

C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe
"C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\is-0ORMN.tmp\CheatEngine67.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0ORMN.tmp\CheatEngine67.tmp" /SL5="$400C6,11858096,56832,C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0ORMN.tmp\CheatEngine67.tmp

Filesize
706KB

MD5
43c28b1b78fa673785848106ff8e85a4

SHA1
77ada0c640ce666f6500612d877b956c57fc7520

SHA256
8575ce7ac6a815958b7c8962a85328f6864bd9ad207e2a8670f6d36efde9d7a4

SHA512
e4a0db7de4e0d0d04341fe2d37f58dca09082df41f8a7edf40ab176e3a2a72aaad372ab6f381e8c5388cc1a8af0195df19adf961b31d7406a13033f5a5e1bd9a

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7SR3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7SR3.tmp\xbCuMZHcmH.dll

Filesize
998KB

MD5
d813717ead5a378d0bacbd83570a4f87

SHA1
dd928eef9b3d8fd36533933738c5f69c4b6d9760

SHA256
50aad0d52b234b777a7454362a70533c0c61ef069aeb5cdf6f7009d04c4dbb7a

SHA512
dae851320bc849d7c0687b483169ec02806b64822b4b8ed0b747fcda4d5092a1d8d2e556f440bc7d19c1f425b04b67f70a9576f1a48ee714a1c16b66ff9963b6

Download Submit
memory/1832-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1832-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2680-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2680-17-0x0000000003220000-0x000000000331E000-memory.dmp

Filesize
1016KB

Download
memory/2680-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2680-21-0x0000000003220000-0x000000000331E000-memory.dmp

Filesize
1016KB

Download