978b7f1dba9746c29ac4b61bc219bd7b

General
Target

978b7f1dba9746c29ac4b61bc219bd7b.exe

Filesize

3MB

Completed

16-01-2022 08:17

Score
9/10
MD5

978b7f1dba9746c29ac4b61bc219bd7b

SHA1

f498e5ebf211bace3e027a1596edfdcf7900317c

SHA256

e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

Malware Config
Signatures 12

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    IntelRapid.exe

    Reported IOCs

    pidprocess
    1852IntelRapid.exe
  • Checks BIOS information in registry
    IntelRapid.exe978b7f1dba9746c29ac4b61bc219bd7b.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion978b7f1dba9746c29ac4b61bc219bd7b.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion978b7f1dba9746c29ac4b61bc219bd7b.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
  • Drops startup file
    978b7f1dba9746c29ac4b61bc219bd7b.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk978b7f1dba9746c29ac4b61bc219bd7b.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3260-130-0x00007FF752880000-0x00007FF753181000-memory.dmpthemida
    behavioral2/memory/3260-131-0x00007FF752880000-0x00007FF753181000-memory.dmpthemida
    behavioral2/memory/3260-132-0x00007FF752880000-0x00007FF753181000-memory.dmpthemida
    behavioral2/files/0x00070000000221a5-134.datthemida
    behavioral2/files/0x00070000000221a5-135.datthemida
    behavioral2/memory/1852-136-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmpthemida
    behavioral2/memory/1852-137-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmpthemida
    behavioral2/memory/1852-138-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmpthemida
  • Checks whether UAC is enabled
    978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA978b7f1dba9746c29ac4b61bc219bd7b.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    3260978b7f1dba9746c29ac4b61bc219bd7b.exe
    1852IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    MusNotification.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0MusNotification.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzMusNotification.exe
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    1852IntelRapid.exe
  • Suspicious use of AdjustPrivilegeToken
    MusNotification.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege1564MusNotification.exe
    Token: SeCreatePagefilePrivilege1564MusNotification.exe
  • Suspicious use of WriteProcessMemory
    978b7f1dba9746c29ac4b61bc219bd7b.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3260 wrote to memory of 18523260978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe
    PID 3260 wrote to memory of 18523260978b7f1dba9746c29ac4b61bc219bd7b.exeIntelRapid.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\978b7f1dba9746c29ac4b61bc219bd7b.exe
    "C:\Users\Admin\AppData\Local\Temp\978b7f1dba9746c29ac4b61bc219bd7b.exe"
    Checks BIOS information in registry
    Drops startup file
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:1852
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    Checks processor information in registry
    Suspicious use of AdjustPrivilegeToken
    PID:1564
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • memory/1852-136-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmp

                      • memory/1852-137-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmp

                      • memory/1852-138-0x00007FF6E7BB0000-0x00007FF6E84B1000-memory.dmp

                      • memory/1852-133-0x0000000000000000-mapping.dmp

                      • memory/3260-130-0x00007FF752880000-0x00007FF753181000-memory.dmp

                      • memory/3260-131-0x00007FF752880000-0x00007FF753181000-memory.dmp

                      • memory/3260-132-0x00007FF752880000-0x00007FF753181000-memory.dmp