Analysis
-
max time kernel
17s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 23:43
Behavioral task
behavioral1
Sample
DS BO6 CHEAT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DS BO6 CHEAT.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
DS BO6 CHEAT.exe
-
Size
4.3MB
-
MD5
a2ff3a8288ff2f7b103ff8dbeb06e3b1
-
SHA1
c45281621cd31a61dc87a634dc0efb4f9d0f5bfa
-
SHA256
4f6822d19005039cb0b90d9579404e4b95259de0e842bad6ea06fa3030a51b89
-
SHA512
46a5156be8d97cba50ef7c0e239c7baffb21e310a6d777d96cc5b21c8ffea0a7716de6588643041ee31de92c9c7c5fcfc28b82ef52fd0dba066cbba89874c21b
-
SSDEEP
98304:7p2Tv/6Q/qp7tvSDCiYfbOjLvrUKsDOUO8/YrsKt2p5Ymy1cdX9Tstd:7p2TviQepv36jUPjO8/ZKwHitd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
DS BO6 CHEAT.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DS BO6 CHEAT.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DS BO6 CHEAT.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DS BO6 CHEAT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DS BO6 CHEAT.exe -
Processes:
resource yara_rule behavioral1/memory/1736-0-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-2-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-4-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-8-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-5-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-7-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-3-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-6-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-14-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-27-0x000000013F910000-0x000000014032C000-memory.dmp themida behavioral1/memory/1736-31-0x000000013F910000-0x000000014032C000-memory.dmp themida -
Processes:
DS BO6 CHEAT.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DS BO6 CHEAT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DS BO6 CHEAT.exepid Process 1736 DS BO6 CHEAT.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DS BO6 CHEAT.exepid Process 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe 1736 DS BO6 CHEAT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid Process Token: SeShutdownPrivilege 2672 shutdown.exe Token: SeRemoteShutdownPrivilege 2672 shutdown.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
DS BO6 CHEAT.execmd.execmd.execmd.exedescription pid Process procid_target PID 1736 wrote to memory of 2492 1736 DS BO6 CHEAT.exe 31 PID 1736 wrote to memory of 2492 1736 DS BO6 CHEAT.exe 31 PID 1736 wrote to memory of 2492 1736 DS BO6 CHEAT.exe 31 PID 2492 wrote to memory of 2784 2492 cmd.exe 32 PID 2492 wrote to memory of 2784 2492 cmd.exe 32 PID 2492 wrote to memory of 2784 2492 cmd.exe 32 PID 2492 wrote to memory of 2904 2492 cmd.exe 33 PID 2492 wrote to memory of 2904 2492 cmd.exe 33 PID 2492 wrote to memory of 2904 2492 cmd.exe 33 PID 2492 wrote to memory of 2692 2492 cmd.exe 34 PID 2492 wrote to memory of 2692 2492 cmd.exe 34 PID 2492 wrote to memory of 2692 2492 cmd.exe 34 PID 1736 wrote to memory of 2476 1736 DS BO6 CHEAT.exe 35 PID 1736 wrote to memory of 2476 1736 DS BO6 CHEAT.exe 35 PID 1736 wrote to memory of 2476 1736 DS BO6 CHEAT.exe 35 PID 2476 wrote to memory of 2716 2476 cmd.exe 36 PID 2476 wrote to memory of 2716 2476 cmd.exe 36 PID 2476 wrote to memory of 2716 2476 cmd.exe 36 PID 1736 wrote to memory of 1616 1736 DS BO6 CHEAT.exe 37 PID 1736 wrote to memory of 1616 1736 DS BO6 CHEAT.exe 37 PID 1736 wrote to memory of 1616 1736 DS BO6 CHEAT.exe 37 PID 1736 wrote to memory of 2832 1736 DS BO6 CHEAT.exe 38 PID 1736 wrote to memory of 2832 1736 DS BO6 CHEAT.exe 38 PID 1736 wrote to memory of 2832 1736 DS BO6 CHEAT.exe 38 PID 1736 wrote to memory of 1880 1736 DS BO6 CHEAT.exe 39 PID 1736 wrote to memory of 1880 1736 DS BO6 CHEAT.exe 39 PID 1736 wrote to memory of 1880 1736 DS BO6 CHEAT.exe 39 PID 1736 wrote to memory of 2596 1736 DS BO6 CHEAT.exe 41 PID 1736 wrote to memory of 2596 1736 DS BO6 CHEAT.exe 41 PID 1736 wrote to memory of 2596 1736 DS BO6 CHEAT.exe 41 PID 1736 wrote to memory of 2620 1736 DS BO6 CHEAT.exe 42 PID 1736 wrote to memory of 2620 1736 DS BO6 CHEAT.exe 42 PID 1736 wrote to memory of 2620 1736 DS BO6 CHEAT.exe 42 PID 1736 wrote to memory of 2664 1736 DS BO6 CHEAT.exe 43 PID 1736 wrote to memory of 2664 1736 DS BO6 CHEAT.exe 43 PID 1736 wrote to memory of 2664 1736 DS BO6 CHEAT.exe 43 PID 2664 wrote to memory of 2672 2664 cmd.exe 44 PID 2664 wrote to memory of 2672 2664 cmd.exe 44 PID 2664 wrote to memory of 2672 2664 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD53⤵PID:2784
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2904
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2212
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:496