893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3

General

Target

Pop-up Bypass_[unknowncheats.me]_.exe
Size

3.3MB
MD5

cb683f37f0902ce6620eb94f0ccd8a87
SHA1

53a9dcd66067278d83a69dda13b11923df65494e
SHA256

893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3
SHA512

bfbd8733ae4fc9e50e7a8447eeb9fe89b3e46cca4e3eb70a5bd111413171fd89fd89c997be3957bcbdf90bc41bc24e66c771617bc5c670b509e11a3cc2f70dff
SSDEEP

98304:nCNLxgjTecpczSWUQju2WehX/EiJWeRS/AZ:bR+AZ2Wava4Z

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Pop-up Bypass_[unknowncheats.me]_.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Pop-up Bypass_[unknowncheats.me]_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Pop-up Bypass_[unknowncheats.me]_.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1468-11-0x00000000000F0000-0x00000000009B2000-memory.dmp	themida
behavioral2/memory/1468-12-0x00000000000F0000-0x00000000009B2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Pop-up Bypass_[unknowncheats.me]_.exe

Drops file in System32 directory 1 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

description ioc process

File created C:\Windows\SysWOW64\PsSuspend.exe Pop-up Bypass_[unknowncheats.me]_.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

pid process

1468 Pop-up Bypass_[unknowncheats.me]_.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4596 sc.exe
3860 sc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.exe

pid process

1468 Pop-up Bypass_[unknowncheats.me]_.exe
1468 Pop-up Bypass_[unknowncheats.me]_.exe

description	ioc	process
File created	C:\Windows\SysWOW64\PsSuspend.exe	Pop-up Bypass_[unknowncheats.me]_.exe

pid	process
1468	Pop-up Bypass_[unknowncheats.me]_.exe

pid	process
4596	sc.exe
3860	sc.exe

pid	process
1468	Pop-up Bypass_[unknowncheats.me]_.exe
1468	Pop-up Bypass_[unknowncheats.me]_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Pop-up Bypass_[unknowncheats.me]_.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 4416	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1468 wrote to memory of 4416	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1468 wrote to memory of 4416	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 4416 wrote to memory of 4596	4416	cmd.exe	sc.exe
PID 4416 wrote to memory of 4596	4416	cmd.exe	sc.exe
PID 4416 wrote to memory of 4596	4416	cmd.exe	sc.exe
PID 4416 wrote to memory of 3972	4416	cmd.exe	findstr.exe
PID 4416 wrote to memory of 3972	4416	cmd.exe	findstr.exe
PID 4416 wrote to memory of 3972	4416	cmd.exe	findstr.exe
PID 1468 wrote to memory of 5052	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1468 wrote to memory of 5052	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 1468 wrote to memory of 5052	1468	Pop-up Bypass_[unknowncheats.me]_.exe	cmd.exe
PID 5052 wrote to memory of 3860	5052	cmd.exe	sc.exe
PID 5052 wrote to memory of 3860	5052	cmd.exe	sc.exe
PID 5052 wrote to memory of 3860	5052	cmd.exe	sc.exe
PID 5052 wrote to memory of 2112	5052	cmd.exe	findstr.exe
PID 5052 wrote to memory of 2112	5052	cmd.exe	findstr.exe
PID 5052 wrote to memory of 2112	5052	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\Pop-up Bypass_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\Pop-up Bypass_[unknowncheats.me]_.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\sc.exe
    sc queryex BrokerInfrastructure
    3⤵
    - Launches sc.exe
    PID:4596
- - C:\Windows\SysWOW64\findstr.exe
    findstr PID
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c sc queryex LSM | findstr PID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\sc.exe
    sc queryex LSM
    3⤵
    - Launches sc.exe
    PID:3860
- - C:\Windows\SysWOW64\findstr.exe
    findstr PID
    3⤵
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-0-0x00000000000F0000-0x00000000009B2000-memory.dmp

Filesize
8.8MB

Download
memory/1468-1-0x0000000076B50000-0x0000000076B51000-memory.dmp

Filesize
4KB

Download
memory/1468-4-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-3-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-2-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-7-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-6-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-5-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-8-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-11-0x00000000000F0000-0x00000000009B2000-memory.dmp

Filesize
8.8MB

Download
memory/1468-12-0x00000000000F0000-0x00000000009B2000-memory.dmp

Filesize
8.8MB

Download
memory/1468-15-0x00000000000F0000-0x00000000009B2000-memory.dmp

Filesize
8.8MB

Download
memory/1468-16-0x0000000076B50000-0x0000000076B51000-memory.dmp

Filesize
4KB

Download
memory/1468-17-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-19-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-18-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-21-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-22-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download
memory/1468-23-0x0000000076B30000-0x0000000076C20000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads