Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-08-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
CheatEngine75.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
CheatEngine75.exe
Resource
win11-20240802-en
General
-
Target
CheatEngine75.exe
-
Size
28.6MB
-
MD5
e703b8ac5b3601deebbf05843c9a4e97
-
SHA1
ab154e32099776e432b4d2c31366985f27950cf1
-
SHA256
fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a
-
SHA512
8280af1c2455b37c13de60f1d4a4ab26fe7d03bed7f874b074afb4ae365f2380aa71525e7e649e924347c38efd601dd3a6b7924f56aa6c09932f24b5c2f03c65
-
SSDEEP
786432:dTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH2:d2EXFhV0KAcNjxAItj2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CheatEngine75.tmppid process 1464 CheatEngine75.tmp -
Loads dropped DLL 1 IoCs
Processes:
CheatEngine75.tmppid process 1464 CheatEngine75.tmp -
Checks for any installed AV software in registry 1 TTPs 9 IoCs
Processes:
CheatEngine75.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast CheatEngine75.tmp Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Avira\Browser\Installed CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast CheatEngine75.tmp Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVAST Software\Avast CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir CheatEngine75.tmp Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVG\AV\Dir CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed CheatEngine75.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CheatEngine75.exeCheatEngine75.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
CheatEngine75.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CheatEngine75.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ CheatEngine75.tmp -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
CheatEngine75.tmppid process 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp 1464 CheatEngine75.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
CheatEngine75.exedescription pid process target process PID 1016 wrote to memory of 1464 1016 CheatEngine75.exe CheatEngine75.tmp PID 1016 wrote to memory of 1464 1016 CheatEngine75.exe CheatEngine75.tmp PID 1016 wrote to memory of 1464 1016 CheatEngine75.exe CheatEngine75.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmp"C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmp" /SL5="$7025C,29071676,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmpFilesize
3.1MB
MD5349c57b17c961abbe59730d3cc5614b2
SHA132278b8621491e587a08f0764501b8b8314fd94c
SHA256de28f1f10d5136dc5b30ccb73750559cca91720533717e9398ee45a44c75481b
SHA51254d54d8b682c8cf9b06452a493e96307bfd9b8193f21e8eb5e89ad4420e1f6e066cf8bdeb70444ebcf2297520a4716ae1910124f21cab98e012f0fd19783c1f5
-
C:\Users\Admin\AppData\Local\Temp\is-TUGUO.tmp\logo.pngFilesize
246KB
MD5f3d1b8cd125a67bafe54b8f31dda1ccd
SHA11c6b6bf1e785ad80fc7e9131a1d7acbba88e8303
SHA25621dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf
SHA512c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401
-
C:\Users\Admin\AppData\Local\Temp\is-TUGUO.tmp\zbShieldUtils.dllFilesize
2.0MB
MD5b83f5833e96c2eb13f14dcca805d51a1
SHA19976b0a6ef3dabeab064b188d77d870dcdaf086d
SHA25600e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401
SHA5128641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb
-
memory/1016-0-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1016-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1016-27-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1464-6-0x0000000000400000-0x000000000071C000-memory.dmpFilesize
3.1MB
-
memory/1464-25-0x0000000002EF0000-0x0000000003030000-memory.dmpFilesize
1.2MB
-
memory/1464-26-0x0000000000400000-0x000000000071C000-memory.dmpFilesize
3.1MB
-
memory/1464-28-0x0000000000400000-0x000000000071C000-memory.dmpFilesize
3.1MB