Overview
overview
5Static
static
3install/Ch...67.exe
windows7-x64
4install/Ch...67.exe
windows10-2004-x64
4noinstall/...ne.exe
windows7-x64
5noinstall/...ne.exe
windows10-2004-x64
5noinstall/...ne.chm
windows7-x64
1noinstall/...ne.chm
windows10-2004-x64
1noinstall/...32.exe
windows7-x64
3noinstall/...32.exe
windows10-2004-x64
3noinstall/...64.exe
windows7-x64
1noinstall/...64.exe
windows10-2004-x64
1noinstall/...er.exe
windows7-x64
3noinstall/...er.exe
windows10-2004-x64
3noinstall/...86.exe
windows7-x64
3noinstall/...86.exe
windows10-2004-x64
3noinstall/...64.exe
windows7-x64
1noinstall/...64.exe
windows10-2004-x64
1noinstall/...86.dll
windows7-x64
3noinstall/...86.dll
windows10-2004-x64
3noinstall/...64.dll
windows7-x64
1noinstall/...64.dll
windows10-2004-x64
1noinstall/...TI.dll
windows7-x64
3noinstall/...TI.dll
windows10-2004-x64
3noinstall/...TI.dll
windows7-x64
1noinstall/...TI.dll
windows10-2004-x64
1noinstall/...32.dll
windows7-x64
5noinstall/...32.dll
windows10-2004-x64
5noinstall/...64.dll
windows7-x64
5noinstall/...64.dll
windows10-2004-x64
5noinstall/...ver.js
windows7-x64
3noinstall/...ver.js
windows10-2004-x64
3noinstall/...ver.js
windows7-x64
3noinstall/...ver.js
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 06:30
Static task
static1
Behavioral task
behavioral1
Sample
install/CheatEngine67.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
install/CheatEngine67.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
noinstall/Cheat Engine.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
noinstall/Cheat Engine.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
noinstall/CheatEngine.chm
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
noinstall/CheatEngine.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
noinstall/DotNetDataCollector32.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
noinstall/DotNetDataCollector32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
noinstall/DotNetDataCollector64.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
noinstall/DotNetDataCollector64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
noinstall/Kernelmoduleunloader.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
noinstall/Kernelmoduleunloader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
noinstall/Tutorial-i386.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
noinstall/Tutorial-i386.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
noinstall/Tutorial-x86_64.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
noinstall/Tutorial-x86_64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
noinstall/allochook-i386.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
noinstall/allochook-i386.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
noinstall/allochook-x86_64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
noinstall/allochook-x86_64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
noinstall/autorun/dlls/32/CEJVMTI.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
noinstall/autorun/dlls/32/CEJVMTI.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
noinstall/autorun/dlls/64/CEJVMTI.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
noinstall/autorun/dlls/64/CEJVMTI.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
noinstall/autorun/dlls/MonoDataCollector32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
noinstall/autorun/dlls/MonoDataCollector32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
noinstall/autorun/dlls/MonoDataCollector64.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
noinstall/autorun/dlls/MonoDataCollector64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral30
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral32
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
noinstall/Cheat Engine.exe
-
Size
330KB
-
MD5
137a55c26e9ae8a92bf8cbee0b70ef61
-
SHA1
32fab66aa6acb3cd130f92991d64d65ba1045fa6
-
SHA256
6b4b25165fb825ca82a774413263bfe5c4840dcde9eb9efc1470c6d8a9554857
-
SHA512
83187a7a4099006bda6f14b5a5525cd1e7b6e791c159958721c23007ed51e6a39c66a6cfcca2769df5c08c4a99da1c8d81b6c527e1bbe13d2e9148937a4b1a2e
-
SSDEEP
6144:fjpISCLahZZvkSadUSjngHRjPYvv2tUrdgugEkkoSE5m2uw:VIBLMT7EgHRYGtUrdgugEnoSE5t
Malware Config
Signatures
-
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\profapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\wininet.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\imm32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\shell32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\USER32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\ole32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\comdlg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\dwmapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\RPCRT4.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\opengl32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\CRYPTBASE.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\ws2_32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\SHLWAPI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\DDRAW.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\CFGMGR32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\sechost.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\shfolder.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\LPK.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\USP10.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\uxtheme.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\normaliz.DLL cheatengine-x86_64.exe File opened for modification C:\Windows\system32\DCIMAN32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\wsock32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\kernel32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\KERNELBASE.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\CLBCatQ.DLL cheatengine-x86_64.exe File opened for modification C:\Windows\system32\propsys.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\GLU32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\SETUPAPI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\msimg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\advapi32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\explorerframe.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\DUser.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\DUI70.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\NSI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\imagehlp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\hhctrl.ocx cheatengine-x86_64.exe File opened for modification C:\Windows\system32\version.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\psapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\oleaut32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\msvcrt.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\GDI32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\DEVOBJ.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\MSCTF.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\iertutil.dll cheatengine-x86_64.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll cheatengine-x86_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheat Engine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tutorial-i386.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 cheatengine-x86_64.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2224 cheatengine-x86_64.exe Token: SeTcbPrivilege 2224 cheatengine-x86_64.exe Token: SeTcbPrivilege 2224 cheatengine-x86_64.exe Token: SeLoadDriverPrivilege 2224 cheatengine-x86_64.exe Token: SeCreateGlobalPrivilege 2224 cheatengine-x86_64.exe Token: SeLockMemoryPrivilege 2224 cheatengine-x86_64.exe Token: 33 2224 cheatengine-x86_64.exe Token: SeSecurityPrivilege 2224 cheatengine-x86_64.exe Token: SeTakeOwnershipPrivilege 2224 cheatengine-x86_64.exe Token: SeManageVolumePrivilege 2224 cheatengine-x86_64.exe Token: SeBackupPrivilege 2224 cheatengine-x86_64.exe Token: SeCreatePagefilePrivilege 2224 cheatengine-x86_64.exe Token: SeShutdownPrivilege 2224 cheatengine-x86_64.exe Token: SeRestorePrivilege 2224 cheatengine-x86_64.exe Token: 33 2224 cheatengine-x86_64.exe Token: SeIncBasePriorityPrivilege 2224 cheatengine-x86_64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2224 cheatengine-x86_64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2224 2688 Cheat Engine.exe 30 PID 2688 wrote to memory of 2224 2688 Cheat Engine.exe 30 PID 2688 wrote to memory of 2224 2688 Cheat Engine.exe 30 PID 2688 wrote to memory of 2224 2688 Cheat Engine.exe 30 PID 2224 wrote to memory of 2168 2224 cheatengine-x86_64.exe 31 PID 2224 wrote to memory of 2168 2224 cheatengine-x86_64.exe 31 PID 2224 wrote to memory of 2168 2224 cheatengine-x86_64.exe 31 PID 2224 wrote to memory of 2168 2224 cheatengine-x86_64.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\noinstall\Cheat Engine.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\Cheat Engine.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\noinstall\cheatengine-x86_64.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\cheatengine-x86_64.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\noinstall\Tutorial-i386.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\Tutorial-i386.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-