1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat.exe
Size

93KB
MD5

ed3d87642e5378a74c7235cc4b91abbe
SHA1

b93b96baa63d5bbdd92388c643c17cd292d8fc9c
SHA256

1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076
SHA512

b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7
SSDEEP

768:fY3ddnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3psGs:wdxOx6baIa9ROj00ljEwzGi1dD5DegS

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4420	netsh.exe
4072	netsh.exe
456	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cheat.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97971fd1e2ee381e5b37d2f6863a113cWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97971fd1e2ee381e5b37d2f6863a113cWindows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
3252	server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe
3252	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3252	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe
Token: 33	3252	server.exe
Token: SeIncBasePriorityPrivilege	3252	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3252	4396	cheat.exe	83
PID 4396 wrote to memory of 3252	4396	cheat.exe	83
PID 4396 wrote to memory of 3252	4396	cheat.exe	83
PID 3252 wrote to memory of 4072	3252	server.exe	85
PID 3252 wrote to memory of 4072	3252	server.exe	85
PID 3252 wrote to memory of 4072	3252	server.exe	85
PID 3252 wrote to memory of 4420	3252	server.exe	87
PID 3252 wrote to memory of 4420	3252	server.exe	87
PID 3252 wrote to memory of 4420	3252	server.exe	87
PID 3252 wrote to memory of 456	3252	server.exe	88
PID 3252 wrote to memory of 456	3252	server.exe	88
PID 3252 wrote to memory of 456	3252	server.exe	88
PID 1028 wrote to memory of 2800	1028	msedge.exe	108
PID 1028 wrote to memory of 2800	1028	msedge.exe	108
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4100	1028	msedge.exe	109
PID 1028 wrote to memory of 4540	1028	msedge.exe	110
PID 1028 wrote to memory of 4540	1028	msedge.exe	110
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111
PID 1028 wrote to memory of 4852	1028	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4072
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf5343c73hfff2h42fdh98d4h5b00500ca336
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9d8ce46f8,0x7ff9d8ce4708,0x7ff9d8ce4718
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a273b39d153081288e57a5e2089f162

SHA1
1391ef6fe3ed9b1a598b8d2c68a662c499a114bd

SHA256
368523aa413694f6797cab4c543d692b7b3f62747fce11081ec735200d6d7cfd

SHA512
ca96f02e6894ea73f5f48d462e1d3132310fdb1d41d3674258becb8e2b488b89c3f30076adf2bedcf0ca3008214f189259c7053f0ea371ba96c170c43ee5b56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
72313499b44bdc04b8fd4fbdd1516407

SHA1
a81c95faa1a0974adcff0d212a487188f1061c59

SHA256
4e9bb935879dc781d1796d874168cb60d72bf91095ef547e8106f29dfd5ea15a

SHA512
bac81d23a83222121a39740c298cba7c28921c3ac7ad964bffd5503b9fc55befda3cfa2c75562d7d9c3b550ee4fb92f1ea657c0819f8a4eda772c81536a63de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
ed3d87642e5378a74c7235cc4b91abbe

SHA1
b93b96baa63d5bbdd92388c643c17cd292d8fc9c

SHA256
1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076

SHA512
b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
memory/3252-15-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-28-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-29-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3252-13-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-0-0x0000000074712000-0x0000000074713000-memory.dmp

Filesize
4KB

Download
memory/4396-14-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-2-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/4396-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download