8992a1084fe37504e9e52077a1c8a73e75634c94f4493803de269cb1c2aa884f | Triage

Sharing

General

Target

CheatEngine75(1).exe
Size

28.5MB
Sample

241121-tslktatlft
MD5

c3f786eb369833607a8445337350f644
SHA1

20954ddfa14a121a18dd0c123abc7486984dcf4b
SHA256

8992a1084fe37504e9e52077a1c8a73e75634c94f4493803de269cb1c2aa884f
SHA512

fb7f74dba06b001b5d6c303664e90474fe4178ee0dfd90fa07773b3a6ae72db0a5098a5764035687f5106e0501d47c53cc39374506db27333a582b08cad5dc4d
SSDEEP

786432:Ml3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHCr:Ml3LMEXFhV0KAcNjxAItjU

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  CheatEngine75(1).exe
- Size
  
  28.5MB
- MD5
  
  c3f786eb369833607a8445337350f644
- SHA1
  
  20954ddfa14a121a18dd0c123abc7486984dcf4b
- SHA256
  
  8992a1084fe37504e9e52077a1c8a73e75634c94f4493803de269cb1c2aa884f
- SHA512
  
  fb7f74dba06b001b5d6c303664e90474fe4178ee0dfd90fa07773b3a6ae72db0a5098a5764035687f5106e0501d47c53cc39374506db27333a582b08cad5dc4d
- SSDEEP
  
  786432:Ml3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHCr:Ml3LMEXFhV0KAcNjxAItjU
Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer
- Stops running service(s)
  evasion execution
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

discoveryevasionexecutionpersistenceprivilege_escalationspywarestealer