General

  • Target

    cheat-engine-7-5.exe

  • Size

    28.6MB

  • Sample

    241109-gth5vsyhqg

  • MD5

    28a85ba5396fcfa8a5f794f04dce35e4

  • SHA1

    c730d730e167d68a41a8382823c181ff9a75a891

  • SHA256

    d77fbaa35585f25de3f492e4e3d0bfa6f0f73b053fd6a64058766fef75eca04e

  • SHA512

    9aa41988b028689ed848ab18bfbc8957d139ccdbd452cda2fa9f0a7a5fb7b73751e0006a0f7830eac43127d9042fff9deb9041f3a3076a1f397e4b7bbd9019f9

  • SSDEEP

    786432:4CxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHOP:dEXFhV0KAcNjxAItjOP

Malware Config

Targets

    • Target

      cheat-engine-7-5.exe

    • Size

      28.6MB

    • MD5

      28a85ba5396fcfa8a5f794f04dce35e4

    • SHA1

      c730d730e167d68a41a8382823c181ff9a75a891

    • SHA256

      d77fbaa35585f25de3f492e4e3d0bfa6f0f73b053fd6a64058766fef75eca04e

    • SHA512

      9aa41988b028689ed848ab18bfbc8957d139ccdbd452cda2fa9f0a7a5fb7b73751e0006a0f7830eac43127d9042fff9deb9041f3a3076a1f397e4b7bbd9019f9

    • SSDEEP

      786432:4CxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHOP:dEXFhV0KAcNjxAItjOP

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Stops running service(s)

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Impair Defenses: Safe Mode Boot

    • Modifies file permissions

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks