1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781

General
Target

1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe

Filesize

3MB

Completed

16-01-2022 17:32

Score
9/10
MD5

8ddcc8ad6802a33161e5364090d0ba1b

SHA1

a66c8944d6e03c9b310777d805fe81e0cfadb86d

SHA256

1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    IntelRapid.exe

    Reported IOCs

    pidprocess
    588IntelRapid.exe
  • Checks BIOS information in registry
    1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exeIntelRapid.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
  • Drops startup file
    1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2756-115-0x00007FF770010000-0x00007FF770929000-memory.dmpthemida
    behavioral1/memory/2756-116-0x00007FF770010000-0x00007FF770929000-memory.dmpthemida
    behavioral1/memory/2756-117-0x00007FF770010000-0x00007FF770929000-memory.dmpthemida
    behavioral1/files/0x000500000001ab19-120.datthemida
    behavioral1/files/0x000500000001ab19-119.datthemida
    behavioral1/memory/588-121-0x00007FF79B100000-0x00007FF79BA19000-memory.dmpthemida
    behavioral1/memory/588-122-0x00007FF79B100000-0x00007FF79BA19000-memory.dmpthemida
    behavioral1/memory/588-123-0x00007FF79B100000-0x00007FF79BA19000-memory.dmpthemida
  • Checks whether UAC is enabled
    1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exeIntelRapid.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    27561aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
    588IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    588IntelRapid.exe
  • Suspicious use of WriteProcessMemory
    1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2756 wrote to memory of 58827561aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exeIntelRapid.exe
    PID 2756 wrote to memory of 58827561aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exeIntelRapid.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe
    "C:\Users\Admin\AppData\Local\Temp\1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781.exe"
    Checks BIOS information in registry
    Drops startup file
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:588
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        8ddcc8ad6802a33161e5364090d0ba1b

                        SHA1

                        a66c8944d6e03c9b310777d805fe81e0cfadb86d

                        SHA256

                        1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781

                        SHA512

                        102932bce97e585c0dc895187407989b05ca599c31e8b48b20e26ac95ae47e37677f9a0cf625263a21bde9b5cab4abd5badcb39e72a249727a161524e8da322a

                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        8ddcc8ad6802a33161e5364090d0ba1b

                        SHA1

                        a66c8944d6e03c9b310777d805fe81e0cfadb86d

                        SHA256

                        1aee4c720519283ec2e6518005d3c22b8b1ddd2dad105060bb707dd867a90781

                        SHA512

                        102932bce97e585c0dc895187407989b05ca599c31e8b48b20e26ac95ae47e37677f9a0cf625263a21bde9b5cab4abd5badcb39e72a249727a161524e8da322a

                      • memory/588-121-0x00007FF79B100000-0x00007FF79BA19000-memory.dmp

                      • memory/588-122-0x00007FF79B100000-0x00007FF79BA19000-memory.dmp

                      • memory/588-123-0x00007FF79B100000-0x00007FF79BA19000-memory.dmp

                      • memory/588-118-0x0000000000000000-mapping.dmp

                      • memory/2756-115-0x00007FF770010000-0x00007FF770929000-memory.dmp

                      • memory/2756-116-0x00007FF770010000-0x00007FF770929000-memory.dmp

                      • memory/2756-117-0x00007FF770010000-0x00007FF770929000-memory.dmp