Overview
overview
10Static
static
3CLibrary.dll
windows10-2004-x64
8CheatInjector.exe
windows10-2004-x64
10bearer/libn.dll
windows10-2004-x64
1bearer/qge...er.dll
windows10-2004-x64
1bearer/qna...er.dll
windows10-2004-x64
1dll/Qt5Network.dll
windows10-2004-x64
1dll/Qt5Svg.dll
windows10-2004-x64
1dll/libEGL.dll
windows10-2004-x64
1dll/libGLESV2.dll
windows10-2004-x64
1dll/libeay32.dll
windows10-2004-x64
1dll/msvcp120.dll
windows10-2004-x64
3dll/msvcr120.dll
windows10-2004-x64
3dll/ssleay32.dll
windows10-2004-x64
1iconengine...on.dll
windows10-2004-x64
1Analysis
-
max time kernel
299s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 18:06
Static task
static1
Behavioral task
behavioral1
Sample
CLibrary.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
CheatInjector.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
bearer/libn.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
bearer/qgenericbearer.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
bearer/qnativewifibearer.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
dll/Qt5Network.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
dll/Qt5Svg.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
dll/libEGL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
dll/libGLESV2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
dll/libeay32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
dll/msvcp120.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
dll/msvcr120.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
dll/ssleay32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
iconengines/qsvgicon.dll
Resource
win10v2004-20240611-en
General
-
Target
CheatInjector.exe
-
Size
12.0MB
-
MD5
ffd54dd853ba501a846bcb20b8fb8a92
-
SHA1
167e0a2d7fcb110df4d5561cfb0aa86e67784f4e
-
SHA256
bc668cbc597c7b00abca9b6ead346889cee9c8de235534bff296417a077df999
-
SHA512
eedb05f9e7a260004a53b6196401e878c8f2d2f1c47e280dc5bbca245771417fae7ffea1201ccdf1ab56a6998e0acdf2ee7e39538ea91e056f91811e2e253f6f
-
SSDEEP
98304:qTTm3vPx378D4xKKpmULiOSnP7REM+aweRMEz:5Pp8D40/UuO0P7yM+M
Malware Config
Extracted
lumma
https://citizencenturygoodwk.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CheatInjector.exedescription pid process target process PID 4884 set thread context of 1088 4884 CheatInjector.exe BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1100 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1100 taskmgr.exe Token: SeSystemProfilePrivilege 1100 taskmgr.exe Token: SeCreateGlobalPrivilege 1100 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe 1100 taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
CheatInjector.exedescription pid process target process PID 4884 wrote to memory of 1088 4884 CheatInjector.exe BitLockerToGo.exe PID 4884 wrote to memory of 1088 4884 CheatInjector.exe BitLockerToGo.exe PID 4884 wrote to memory of 1088 4884 CheatInjector.exe BitLockerToGo.exe PID 4884 wrote to memory of 1088 4884 CheatInjector.exe BitLockerToGo.exe PID 4884 wrote to memory of 1088 4884 CheatInjector.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CheatInjector.exe"C:\Users\Admin\AppData\Local\Temp\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-21-0x0000000000570000-0x00000000005C7000-memory.dmpFilesize
348KB
-
memory/1088-22-0x0000000000570000-0x00000000005C7000-memory.dmpFilesize
348KB
-
memory/1088-18-0x0000000000570000-0x00000000005C7000-memory.dmpFilesize
348KB
-
memory/1100-12-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-14-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-13-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-4-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-11-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-10-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-8-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-9-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-2-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/1100-3-0x000002A902DE0000-0x000002A902DE1000-memory.dmpFilesize
4KB
-
memory/4884-17-0x00007FF653830000-0x00007FF6544A3000-memory.dmpFilesize
12.4MB
-
memory/4884-19-0x00007FF653830000-0x00007FF6544A3000-memory.dmpFilesize
12.4MB