e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

General
Target

e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe

Filesize

3MB

Completed

16-01-2022 07:52

Score
9/10
MD5

978b7f1dba9746c29ac4b61bc219bd7b

SHA1

f498e5ebf211bace3e027a1596edfdcf7900317c

SHA256

e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    IntelRapid.exe

    Reported IOCs

    pidprocess
    3736IntelRapid.exe
  • Checks BIOS information in registry
    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exeIntelRapid.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersione36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersione36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
  • Drops startup file
    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnke36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2696-114-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmpthemida
    behavioral1/memory/2696-115-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmpthemida
    behavioral1/memory/2696-116-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmpthemida
    behavioral1/files/0x000500000001ab32-119.datthemida
    behavioral1/files/0x000500000001ab32-118.datthemida
    behavioral1/memory/3736-120-0x00007FF608150000-0x00007FF608A51000-memory.dmpthemida
    behavioral1/memory/3736-121-0x00007FF608150000-0x00007FF608A51000-memory.dmpthemida
    behavioral1/memory/3736-122-0x00007FF608150000-0x00007FF608A51000-memory.dmpthemida
  • Checks whether UAC is enabled
    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exeIntelRapid.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAe36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    2696e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
    3736IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    3736IntelRapid.exe
  • Suspicious use of WriteProcessMemory
    e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2696 wrote to memory of 37362696e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exeIntelRapid.exe
    PID 2696 wrote to memory of 37362696e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exeIntelRapid.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe
    "C:\Users\Admin\AppData\Local\Temp\e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7.exe"
    Checks BIOS information in registry
    Drops startup file
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:3736
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        978b7f1dba9746c29ac4b61bc219bd7b

                        SHA1

                        f498e5ebf211bace3e027a1596edfdcf7900317c

                        SHA256

                        e36e717ad1f661f695e905d457dba6729aa238c0da051893ebec1429e042ddf7

                        SHA512

                        dbdba57e4af16966d814bb0fafec867be05dd33381ab3140cb99249a7df57f7a09f69bdec5909d00a7268fda7574be3e738561bf094b211e3e9d5c6fb126da08

                      • memory/2696-114-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmp

                      • memory/2696-115-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmp

                      • memory/2696-116-0x00007FF6662D0000-0x00007FF666BD1000-memory.dmp

                      • memory/3736-117-0x0000000000000000-mapping.dmp

                      • memory/3736-120-0x00007FF608150000-0x00007FF608A51000-memory.dmp

                      • memory/3736-121-0x00007FF608150000-0x00007FF608A51000-memory.dmp

                      • memory/3736-122-0x00007FF608150000-0x00007FF608A51000-memory.dmp