893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3

General

Target

Pop-up Bypass_[unknowncheats.me]_.exe
Size

3.3MB
MD5

cb683f37f0902ce6620eb94f0ccd8a87
SHA1

53a9dcd66067278d83a69dda13b11923df65494e
SHA256

893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3
SHA512

bfbd8733ae4fc9e50e7a8447eeb9fe89b3e46cca4e3eb70a5bd111413171fd89fd89c997be3957bcbdf90bc41bc24e66c771617bc5c670b509e11a3cc2f70dff
SSDEEP

98304:nCNLxgjTecpczSWUQju2WehX/EiJWeRS/AZ:bR+AZ2Wava4Z

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Pop-up Bypass_[unknowncheats.me]_.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Pop-up Bypass_[unknowncheats.me]_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Pop-up Bypass_[unknowncheats.me]_.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1888-31-0x0000000000A10000-0x00000000012D2000-memory.dmp	themida
behavioral1/memory/1888-32-0x0000000000A10000-0x00000000012D2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Pop-up Bypass_[unknowncheats.me]_.exe

Drops file in System32 directory 1 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description ioc process

File created C:\Windows\SysWOW64\PsSuspend.exe Pop-up Bypass_[unknowncheats.me]_.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

pid process

1888 Pop-up Bypass_[unknowncheats.me]_.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2528 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2972 1888 WerFault.exe Pop-up Bypass_[unknowncheats.me]_.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

pid process

1888 Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
File created	C:\Windows\SysWOW64\PsSuspend.exe	Pop-up Bypass_[unknowncheats.me]_.exe

pid	process
1888	Pop-up Bypass_[unknowncheats.me]_.exe

pid	process
2528	sc.exe

pid	pid_target	process	target process
2972	1888	WerFault.exe	Pop-up Bypass_[unknowncheats.me]_.exe

pid	process
1888	Pop-up Bypass_[unknowncheats.me]_.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 2804	1888	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1888 wrote to memory of 2804	1888	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1888 wrote to memory of 2804	1888	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1888 wrote to memory of 2804	1888	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 2804 wrote to memory of 2528	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2528	2804	cmd.exe	sc.exe
PID 2804 wrote to memory of 2404	2804	cmd.exe	findstr.exe
PID 2804 wrote to memory of 2404	2804	cmd.exe	findstr.exe
PID 2804 wrote to memory of 2404	2804	cmd.exe	findstr.exe
PID 2804 wrote to memory of 2404	2804	cmd.exe	findstr.exe
PID 1888 wrote to memory of 2972	1888	Pop-up Bypass_[unknowncheats.me]_.exe	WerFault.exe
PID 1888 wrote to memory of 2972	1888	Pop-up Bypass_[unknowncheats.me]_.exe	WerFault.exe
PID 1888 wrote to memory of 2972	1888	Pop-up Bypass_[unknowncheats.me]_.exe	WerFault.exe
PID 1888 wrote to memory of 2972	1888	Pop-up Bypass_[unknowncheats.me]_.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Pop-up Bypass_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\Pop-up Bypass_[unknowncheats.me]_.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\sc.exe
    sc queryex BrokerInfrastructure
    3⤵
    - Launches sc.exe
    PID:2528
- - C:\Windows\SysWOW64\findstr.exe
    findstr PID
    3⤵
    PID:2404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 592
  2⤵
  - Program crash
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-1-0x0000000076851000-0x0000000076852000-memory.dmp

Filesize
4KB

Download
memory/1888-2-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-0-0x0000000000A10000-0x00000000012D2000-memory.dmp

Filesize
8.8MB

Download
memory/1888-5-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-17-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-25-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-24-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-23-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-22-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-21-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-20-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-19-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-18-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-16-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-15-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-14-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-13-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-12-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-11-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-10-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-9-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-8-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-7-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-6-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-4-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-3-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-26-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-30-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-31-0x0000000000A10000-0x00000000012D2000-memory.dmp

Filesize
8.8MB

Download
memory/1888-32-0x0000000000A10000-0x00000000012D2000-memory.dmp

Filesize
8.8MB

Download
memory/1888-35-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-36-0x0000000076851000-0x0000000076852000-memory.dmp

Filesize
4KB

Download
memory/1888-38-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download
memory/1888-39-0x0000000076840000-0x0000000076950000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads