ee3c9fdf9ac72921233d688db367410456b4a569f764e898ee9f883b50669dd6

General

Target

BitCheats.exe
Size

9.5MB
MD5

f9350631e747006dd165af9d0173f15d
SHA1

2ea2280fc4518185b0658555aa728ccf5a34f664
SHA256

ee3c9fdf9ac72921233d688db367410456b4a569f764e898ee9f883b50669dd6
SHA512

3521999a4f8fa787947bba0ed15812a41090fd76fdd06350fbe2f79cf0be8f6fc9abe29c166874ed67fd245bfb966579b4cb89a65f21a3d001bbc2182821e107
SSDEEP

196608:0d/n2e9fPh6lB6tKhWvBXFu8AkVURItvIpkIT1D746ERa:A/2uXhKvWvZLPCI5kkwB7paa

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BitCheats.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BitCheats.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BitCheats.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BitCheats.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BitCheats.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BitCheats.exe

Executes dropped EXE 1 IoCs

Processes:

pid process

804
Loads dropped DLL 3 IoCs

Processes:

BitCheats.exe

pid process

1504 BitCheats.exe
1504 BitCheats.exe
1504 BitCheats.exe

pid	process
804

pid	process
1504	BitCheats.exe
1504	BitCheats.exe
1504	BitCheats.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1504-133-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-138-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-139-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-140-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-145-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-146-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-147-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-159-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida
behavioral1/memory/1504-161-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BitCheats.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitCheats.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BitCheats.exe

pid process

1504 BitCheats.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 1504 WerFault.exe BitCheats.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BitCheats.exe

pid process

1504 BitCheats.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitCheats.exe

pid	process
1504	BitCheats.exe

pid	pid_target	process	target process
3012	1504	WerFault.exe	BitCheats.exe

pid	process
1504	BitCheats.exe

C:\Users\Admin\AppData\Local\Temp\BitCheats.exe
"C:\Users\Admin\AppData\Local\Temp\BitCheats.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1504 -s 512
2⤵
- Program crash
PID:3012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1504 -ip 1504
1⤵
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwWPHrTsJZ.dll
Filesize
49KB

MD5
ac3da38df3e1fbf4977da44c2f8aa9ae

SHA1
3c1d0cceede7849123ddbc742be6e0be1b48970e

SHA256
dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5

SHA512
dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwWPHrTsJZ.dll
Filesize
49KB

MD5
ac3da38df3e1fbf4977da44c2f8aa9ae

SHA1
3c1d0cceede7849123ddbc742be6e0be1b48970e

SHA256
dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5

SHA512
dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
memory/1504-147-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-140-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-145-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-146-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-133-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-153-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/1504-152-0x00007FFA5B9B0000-0x00007FFA5B9C0000-memory.dmp

Filesize
64KB

Download
memory/1504-139-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-157-0x000001E872300000-0x000001E872301000-memory.dmp

Filesize
4KB

Download
memory/1504-138-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-159-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download
memory/1504-161-0x00007FF6D8400000-0x00007FF6D9D2B000-memory.dmp

Filesize
25.2MB

Download

Analysis

Sharing