1c10cedba382981455f0fc1b5ad2f98798478837ee622fa11097a80be7b967f4

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install/CheatEngine67.exe
Size

11.6MB
MD5

60bc92a679c5864ff88c777855242eff
SHA1

f9af39a0983b5878451d9d365da2ec8d51572e54
SHA256

a4676e3fb1d1514d631e1ccb0a82d374068a43c43bf5d4ebf48c5be1f46c7b0e
SHA512

49d54912ab2b11ed2ad5fbbf007b9d6e0aba02937ed21489bd1ad7c57f278764878e4f2ff60317896e627e1cfa470c4acefd86061f9e6072137246aa5c0f78ec
SSDEEP

196608:MkU/fsNbpUGJJ177vcsCQypVRUBSCwBpvvDMs4VMY0I+RSIxBauMTTAraX:MXfsgGV3TCdpV6BPCpDMfXEEuNaX

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1220	CheatEngine67.tmp

Loads dropped DLL 2 IoCs

pid	Process
1220	CheatEngine67.tmp
1220	CheatEngine67.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine67.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1220	460	CheatEngine67.exe	85
PID 460 wrote to memory of 1220	460	CheatEngine67.exe	85
PID 460 wrote to memory of 1220	460	CheatEngine67.exe	85

C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe
"C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\is-ML6K7.tmp\CheatEngine67.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ML6K7.tmp\CheatEngine67.tmp" /SL5="$801F2,11858096,56832,C:\Users\Admin\AppData\Local\Temp\install\CheatEngine67.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2KF78.tmp\xbCuMZHcmH.dll

Filesize
998KB

MD5
d813717ead5a378d0bacbd83570a4f87

SHA1
dd928eef9b3d8fd36533933738c5f69c4b6d9760

SHA256
50aad0d52b234b777a7454362a70533c0c61ef069aeb5cdf6f7009d04c4dbb7a

SHA512
dae851320bc849d7c0687b483169ec02806b64822b4b8ed0b747fcda4d5092a1d8d2e556f440bc7d19c1f425b04b67f70a9576f1a48ee714a1c16b66ff9963b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ML6K7.tmp\CheatEngine67.tmp

Filesize
706KB

MD5
43c28b1b78fa673785848106ff8e85a4

SHA1
77ada0c640ce666f6500612d877b956c57fc7520

SHA256
8575ce7ac6a815958b7c8962a85328f6864bd9ad207e2a8670f6d36efde9d7a4

SHA512
e4a0db7de4e0d0d04341fe2d37f58dca09082df41f8a7edf40ab176e3a2a72aaad372ab6f381e8c5388cc1a8af0195df19adf961b31d7406a13033f5a5e1bd9a

Download Submit
memory/460-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/460-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/460-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1220-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1220-15-0x0000000005580000-0x000000000567E000-memory.dmp

Filesize
1016KB

Download
memory/1220-19-0x0000000005580000-0x000000000567E000-memory.dmp

Filesize
1016KB

Download
memory/1220-18-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1220-25-0x0000000005580000-0x000000000567E000-memory.dmp

Filesize
1016KB

Download