Analysis Overview
SHA256
4f6822d19005039cb0b90d9579404e4b95259de0e842bad6ea06fa3030a51b89
Threat Level: Likely malicious
The file DS BO6 CHEAT.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Modify Registry: Disable Windows Driver Blocklist
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 23:43
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 23:43
Reported
2024-11-14 23:45
Platform
win10v2004-20241007-en
Max time kernel
22s
Max time network
26s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modify Registry: Disable Windows Driver Blocklist
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe
"C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1
C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1
C:\Windows\system32\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cf855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:64650 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
Files
memory/4636-0-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-1-0x00007FFE8BCD0000-0x00007FFE8BCD2000-memory.dmp
memory/4636-4-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-3-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-2-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-6-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-7-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-8-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-5-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-9-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-10-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-11-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-12-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-14-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-13-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-17-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-16-0x00007FFE8BCD0000-0x00007FFE8BCD2000-memory.dmp
memory/4636-18-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-19-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-21-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-22-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-20-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-23-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-25-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-27-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-26-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-28-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-29-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-24-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-30-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-31-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
memory/4636-32-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-34-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-35-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-36-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-37-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-38-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-39-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-40-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-43-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp
memory/4636-42-0x00007FF6B1240000-0x00007FF6B1C5C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 23:43
Reported
2024-11-14 23:45
Platform
win7-20240903-en
Max time kernel
17s
Max time network
18s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe
"C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\DS BO6 CHEAT.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1
C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1
C:\Windows\system32\shutdown.exe
shutdown /r /f /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49200 | tcp |
Files
memory/1736-0-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-1-0x00000000770C0000-0x00000000770C2000-memory.dmp
memory/1736-2-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-4-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-8-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-5-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-9-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-7-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-10-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-3-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-6-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-11-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-12-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-15-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-17-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-16-0x00000000770C0000-0x00000000770C2000-memory.dmp
memory/1736-14-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-21-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-20-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-19-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-18-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-22-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-23-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-24-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-26-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-28-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-27-0x000000013F910000-0x000000014032C000-memory.dmp
memory/1736-29-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-30-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-32-0x0000000077070000-0x0000000077219000-memory.dmp
memory/1736-31-0x000000013F910000-0x000000014032C000-memory.dmp