978b7f1dba9746c29ac4b61bc219bd7b

General
Target

978b7f1dba9746c29ac4b61bc219bd7b.exe

Filesize

3MB

Completed

16-01-2022 08:17

Score
9/10
MD5

978b7f1dba9746c29ac4b61bc219bd7b

SHA1

f498e5ebf211bace3e027a1596edfdcf7900317c

SHA256

e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    IntelRapid.exe

    Reported IOCs

    pidprocess
    812IntelRapid.exe
  • Checks BIOS information in registry
    978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion978b7f1dba9746c29ac4b61bc219bd7b.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion978b7f1dba9746c29ac4b61bc219bd7b.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
  • Drops startup file
    978b7f1dba9746c29ac4b61bc219bd7b.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk978b7f1dba9746c29ac4b61bc219bd7b.exe
  • Loads dropped DLL
    978b7f1dba9746c29ac4b61bc219bd7b.exe

    Reported IOCs

    pidprocess
    1652978b7f1dba9746c29ac4b61bc219bd7b.exe
    1652978b7f1dba9746c29ac4b61bc219bd7b.exe
    1652978b7f1dba9746c29ac4b61bc219bd7b.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1652-55-0x000000013F350000-0x000000013FC51000-memory.dmpthemida
    behavioral1/memory/1652-56-0x000000013F350000-0x000000013FC51000-memory.dmpthemida
    behavioral1/memory/1652-57-0x000000013F350000-0x000000013FC51000-memory.dmpthemida
    behavioral1/files/0x00070000000131ed-59.datthemida
    behavioral1/files/0x00070000000131ed-60.datthemida
    behavioral1/files/0x00070000000131ed-61.datthemida
    behavioral1/files/0x00070000000131ed-63.datthemida
    behavioral1/memory/812-64-0x000000013F240000-0x000000013FB41000-memory.dmpthemida
    behavioral1/memory/812-65-0x000000013F240000-0x000000013FB41000-memory.dmpthemida
    behavioral1/memory/812-66-0x000000013F240000-0x000000013FB41000-memory.dmpthemida
  • Checks whether UAC is enabled
    IntelRapid.exe978b7f1dba9746c29ac4b61bc219bd7b.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA978b7f1dba9746c29ac4b61bc219bd7b.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    1652978b7f1dba9746c29ac4b61bc219bd7b.exe
    812IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    812IntelRapid.exe
  • Suspicious use of WriteProcessMemory
    978b7f1dba9746c29ac4b61bc219bd7b.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1652 wrote to memory of 8121652978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe
    PID 1652 wrote to memory of 8121652978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe
    PID 1652 wrote to memory of 8121652978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\978b7f1dba9746c29ac4b61bc219bd7b.exe
    "C:\Users\Admin\AppData\Local\Temp\978b7f1dba9746c29ac4b61bc219bd7b.exe"
    Checks BIOS information in registry
    Drops startup file
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:812
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • memory/812-62-0x0000000000000000-mapping.dmp

                      • memory/812-64-0x000000013F240000-0x000000013FB41000-memory.dmp

                      • memory/812-65-0x000000013F240000-0x000000013FB41000-memory.dmp

                      • memory/812-66-0x000000013F240000-0x000000013FB41000-memory.dmp

                      • memory/1652-55-0x000000013F350000-0x000000013FC51000-memory.dmp

                      • memory/1652-56-0x000000013F350000-0x000000013FC51000-memory.dmp

                      • memory/1652-57-0x000000013F350000-0x000000013FC51000-memory.dmp

                      • memory/1652-58-0x000007FEFB631000-0x000007FEFB633000-memory.dmp