Analysis
-
max time kernel
22s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 23:43
Behavioral task
behavioral1
Sample
DS BO6 CHEAT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DS BO6 CHEAT.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
DS BO6 CHEAT.exe
-
Size
4.3MB
-
MD5
a2ff3a8288ff2f7b103ff8dbeb06e3b1
-
SHA1
c45281621cd31a61dc87a634dc0efb4f9d0f5bfa
-
SHA256
4f6822d19005039cb0b90d9579404e4b95259de0e842bad6ea06fa3030a51b89
-
SHA512
46a5156be8d97cba50ef7c0e239c7baffb21e310a6d777d96cc5b21c8ffea0a7716de6588643041ee31de92c9c7c5fcfc28b82ef52fd0dba066cbba89874c21b
-
SSDEEP
98304:7p2Tv/6Q/qp7tvSDCiYfbOjLvrUKsDOUO8/YrsKt2p5Ymy1cdX9Tstd:7p2TviQepv36jUPjO8/ZKwHitd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
DS BO6 CHEAT.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DS BO6 CHEAT.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs
Disable Windows Driver Blocklist via Registry.
Processes:
DS BO6 CHEAT.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" DS BO6 CHEAT.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DS BO6 CHEAT.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DS BO6 CHEAT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DS BO6 CHEAT.exe -
Processes:
resource yara_rule behavioral2/memory/4636-0-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-4-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-3-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-2-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-6-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-7-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-8-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-5-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-13-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-31-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida behavioral2/memory/4636-42-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp themida -
Processes:
DS BO6 CHEAT.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DS BO6 CHEAT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DS BO6 CHEAT.exepid Process 4636 DS BO6 CHEAT.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DS BO6 CHEAT.exepid Process 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe 4636 DS BO6 CHEAT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid Process Token: SeShutdownPrivilege 4932 shutdown.exe Token: SeRemoteShutdownPrivilege 4932 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid Process 3948 LogonUI.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
DS BO6 CHEAT.execmd.execmd.execmd.exedescription pid Process procid_target PID 4636 wrote to memory of 1780 4636 DS BO6 CHEAT.exe 87 PID 4636 wrote to memory of 1780 4636 DS BO6 CHEAT.exe 87 PID 1780 wrote to memory of 4996 1780 cmd.exe 88 PID 1780 wrote to memory of 4996 1780 cmd.exe 88 PID 1780 wrote to memory of 4592 1780 cmd.exe 89 PID 1780 wrote to memory of 4592 1780 cmd.exe 89 PID 1780 wrote to memory of 1536 1780 cmd.exe 90 PID 1780 wrote to memory of 1536 1780 cmd.exe 90 PID 4636 wrote to memory of 3816 4636 DS BO6 CHEAT.exe 97 PID 4636 wrote to memory of 3816 4636 DS BO6 CHEAT.exe 97 PID 3816 wrote to memory of 764 3816 cmd.exe 98 PID 3816 wrote to memory of 764 3816 cmd.exe 98 PID 4636 wrote to memory of 4132 4636 DS BO6 CHEAT.exe 99 PID 4636 wrote to memory of 4132 4636 DS BO6 CHEAT.exe 99 PID 4636 wrote to memory of 384 4636 DS BO6 CHEAT.exe 104 PID 4636 wrote to memory of 384 4636 DS BO6 CHEAT.exe 104 PID 4636 wrote to memory of 1828 4636 DS BO6 CHEAT.exe 105 PID 4636 wrote to memory of 1828 4636 DS BO6 CHEAT.exe 105 PID 4636 wrote to memory of 3552 4636 DS BO6 CHEAT.exe 106 PID 4636 wrote to memory of 3552 4636 DS BO6 CHEAT.exe 106 PID 4636 wrote to memory of 3708 4636 DS BO6 CHEAT.exe 107 PID 4636 wrote to memory of 3708 4636 DS BO6 CHEAT.exe 107 PID 4636 wrote to memory of 1340 4636 DS BO6 CHEAT.exe 108 PID 4636 wrote to memory of 1340 4636 DS BO6 CHEAT.exe 108 PID 1340 wrote to memory of 4932 1340 cmd.exe 109 PID 1340 wrote to memory of 4932 1340 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modify Registry: Disable Windows Driver Blocklist
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD53⤵PID:4996
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4592
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38cf855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3948