Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 23:54

General

  • Target

    cheat.exe

  • Size

    93KB

  • MD5

    ed3d87642e5378a74c7235cc4b91abbe

  • SHA1

    b93b96baa63d5bbdd92388c643c17cd292d8fc9c

  • SHA256

    1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076

  • SHA512

    b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7

  • SSDEEP

    768:fY3ddnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3psGs:wdxOx6baIa9ROj00ljEwzGi1dD5DegS

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4072
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4420
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:456
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf5343c73hfff2h42fdh98d4h5b00500ca336
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9d8ce46f8,0x7ff9d8ce4708,0x7ff9d8ce4718
      2⤵
        PID:2800
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        2⤵
          PID:4100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
          2⤵
            PID:4540
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
            2⤵
              PID:4852
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:3764
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4588

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                Filesize

                152B

                MD5

                61cef8e38cd95bf003f5fdd1dc37dae1

                SHA1

                11f2f79ecb349344c143eea9a0fed41891a3467f

                SHA256

                ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                SHA512

                6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                Filesize

                61B

                MD5

                4df4574bfbb7e0b0bc56c2c9b12b6c47

                SHA1

                81efcbd3e3da8221444a21f45305af6fa4b71907

                SHA256

                e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

                SHA512

                78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                Filesize

                5KB

                MD5

                9a273b39d153081288e57a5e2089f162

                SHA1

                1391ef6fe3ed9b1a598b8d2c68a662c499a114bd

                SHA256

                368523aa413694f6797cab4c543d692b7b3f62747fce11081ec735200d6d7cfd

                SHA512

                ca96f02e6894ea73f5f48d462e1d3132310fdb1d41d3674258becb8e2b488b89c3f30076adf2bedcf0ca3008214f189259c7053f0ea371ba96c170c43ee5b56b

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                Filesize

                8KB

                MD5

                72313499b44bdc04b8fd4fbdd1516407

                SHA1

                a81c95faa1a0974adcff0d212a487188f1061c59

                SHA256

                4e9bb935879dc781d1796d874168cb60d72bf91095ef547e8106f29dfd5ea15a

                SHA512

                bac81d23a83222121a39740c298cba7c28921c3ac7ad964bffd5503b9fc55befda3cfa2c75562d7d9c3b550ee4fb92f1ea657c0819f8a4eda772c81536a63de0

              • C:\Users\Admin\AppData\Local\Temp\server.exe

                Filesize

                93KB

                MD5

                ed3d87642e5378a74c7235cc4b91abbe

                SHA1

                b93b96baa63d5bbdd92388c643c17cd292d8fc9c

                SHA256

                1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076

                SHA512

                b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7

              • C:\Users\Admin\AppData\Roaming\app

                Filesize

                5B

                MD5

                d43c5b07c128b116b7bc8faf7b8efa9d

                SHA1

                dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

                SHA256

                80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

                SHA512

                618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

              • memory/3252-15-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/3252-28-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/3252-29-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/3252-13-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/4396-0-0x0000000074712000-0x0000000074713000-memory.dmp

                Filesize

                4KB

              • memory/4396-14-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/4396-2-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB

              • memory/4396-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

                Filesize

                5.7MB