Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 23:54
Behavioral task
behavioral1
Sample
cheat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cheat.exe
Resource
win10v2004-20241007-en
General
-
Target
cheat.exe
-
Size
93KB
-
MD5
ed3d87642e5378a74c7235cc4b91abbe
-
SHA1
b93b96baa63d5bbdd92388c643c17cd292d8fc9c
-
SHA256
1eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076
-
SHA512
b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7
-
SSDEEP
768:fY3ddnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3psGs:wdxOx6baIa9ROj00ljEwzGi1dD5DegS
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4420 netsh.exe 4072 netsh.exe 456 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cheat.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97971fd1e2ee381e5b37d2f6863a113cWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97971fd1e2ee381e5b37d2f6863a113cWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 3252 server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe 3252 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3252 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe Token: 33 3252 server.exe Token: SeIncBasePriorityPrivilege 3252 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4396 wrote to memory of 3252 4396 cheat.exe 83 PID 4396 wrote to memory of 3252 4396 cheat.exe 83 PID 4396 wrote to memory of 3252 4396 cheat.exe 83 PID 3252 wrote to memory of 4072 3252 server.exe 85 PID 3252 wrote to memory of 4072 3252 server.exe 85 PID 3252 wrote to memory of 4072 3252 server.exe 85 PID 3252 wrote to memory of 4420 3252 server.exe 87 PID 3252 wrote to memory of 4420 3252 server.exe 87 PID 3252 wrote to memory of 4420 3252 server.exe 87 PID 3252 wrote to memory of 456 3252 server.exe 88 PID 3252 wrote to memory of 456 3252 server.exe 88 PID 3252 wrote to memory of 456 3252 server.exe 88 PID 1028 wrote to memory of 2800 1028 msedge.exe 108 PID 1028 wrote to memory of 2800 1028 msedge.exe 108 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4100 1028 msedge.exe 109 PID 1028 wrote to memory of 4540 1028 msedge.exe 110 PID 1028 wrote to memory of 4540 1028 msedge.exe 110 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111 PID 1028 wrote to memory of 4852 1028 msedge.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:456
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf5343c73hfff2h42fdh98d4h5b00500ca3361⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9d8ce46f8,0x7ff9d8ce4708,0x7ff9d8ce47182⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,3557094775293164633,6706270758606274762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:4852
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4588
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
5KB
MD59a273b39d153081288e57a5e2089f162
SHA11391ef6fe3ed9b1a598b8d2c68a662c499a114bd
SHA256368523aa413694f6797cab4c543d692b7b3f62747fce11081ec735200d6d7cfd
SHA512ca96f02e6894ea73f5f48d462e1d3132310fdb1d41d3674258becb8e2b488b89c3f30076adf2bedcf0ca3008214f189259c7053f0ea371ba96c170c43ee5b56b
-
Filesize
8KB
MD572313499b44bdc04b8fd4fbdd1516407
SHA1a81c95faa1a0974adcff0d212a487188f1061c59
SHA2564e9bb935879dc781d1796d874168cb60d72bf91095ef547e8106f29dfd5ea15a
SHA512bac81d23a83222121a39740c298cba7c28921c3ac7ad964bffd5503b9fc55befda3cfa2c75562d7d9c3b550ee4fb92f1ea657c0819f8a4eda772c81536a63de0
-
Filesize
93KB
MD5ed3d87642e5378a74c7235cc4b91abbe
SHA1b93b96baa63d5bbdd92388c643c17cd292d8fc9c
SHA2561eb4a597a32687b808a75a8350d967f471bc230c52a1ff3ffcab4ba6ecbc2076
SHA512b3cfd60b378c204e44053169e42e600d86cddcf3498146b18316c21adeb7268e44693d2a87e5d2f9cacbf9b58a462b9f772734709a50ba5402d9ab3823388fb7
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334