fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a

General

Target

CheatEngine75.exe
Size

28.6MB
MD5

e703b8ac5b3601deebbf05843c9a4e97
SHA1

ab154e32099776e432b4d2c31366985f27950cf1
SHA256

fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a
SHA512

8280af1c2455b37c13de60f1d4a4ab26fe7d03bed7f874b074afb4ae365f2380aa71525e7e649e924347c38efd601dd3a6b7924f56aa6c09932f24b5c2f03c65
SSDEEP

786432:dTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH2:d2EXFhV0KAcNjxAItj2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CheatEngine75.tmp

pid process

1464 CheatEngine75.tmp
Loads dropped DLL 1 IoCs

Processes:

CheatEngine75.tmp

pid process

1464 CheatEngine75.tmp

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

Processes:

CheatEngine75.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CheatEngine75.exeCheatEngine75.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CheatEngine75.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

CheatEngine75.tmp

pid	process
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp
1464	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CheatEngine75.exe

description	pid	process	target process
PID 1016 wrote to memory of 1464	1016	CheatEngine75.exe	CheatEngine75.tmp
PID 1016 wrote to memory of 1464	1016	CheatEngine75.exe	CheatEngine75.tmp
PID 1016 wrote to memory of 1464	1016	CheatEngine75.exe	CheatEngine75.tmp

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmp" /SL5="$7025C,29071676,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4BGI7.tmp\CheatEngine75.tmp
Filesize
3.1MB

MD5
349c57b17c961abbe59730d3cc5614b2

SHA1
32278b8621491e587a08f0764501b8b8314fd94c

SHA256
de28f1f10d5136dc5b30ccb73750559cca91720533717e9398ee45a44c75481b

SHA512
54d54d8b682c8cf9b06452a493e96307bfd9b8193f21e8eb5e89ad4420e1f6e066cf8bdeb70444ebcf2297520a4716ae1910124f21cab98e012f0fd19783c1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUGUO.tmp\logo.png
Filesize
246KB

MD5
f3d1b8cd125a67bafe54b8f31dda1ccd

SHA1
1c6b6bf1e785ad80fc7e9131a1d7acbba88e8303

SHA256
21dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf

SHA512
c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUGUO.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
memory/1016-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1016-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1016-27-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1464-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1464-25-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/1464-26-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1464-28-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads