Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-01-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
biamou.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
biamou.exe
Resource
win10v2004-en-20220112
General
-
Target
biamou.exe
-
Size
3.3MB
-
MD5
4da9953b63df9701effcbdabf0225a47
-
SHA1
c6b57281d09a692e818b40c56f1ef08c8a4221fb
-
SHA256
29080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439
-
SHA512
2e6e436dfad558c6f52db26bfa510d61ed741c8f3c4d24f755682f8f9d95662a2c2c7bffc0c518eedc9754f3f75b5e8184e6b76b34a9a7e84e007cb51d976d13
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
IntelRapid.exepid process 564 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
biamou.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion biamou.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion biamou.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe -
Drops startup file 1 IoCs
Processes:
biamou.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk biamou.exe -
Loads dropped DLL 3 IoCs
Processes:
biamou.exepid process 1908 biamou.exe 1908 biamou.exe 1908 biamou.exe -
Processes:
resource yara_rule behavioral1/memory/1908-54-0x000000013FE80000-0x000000014079B000-memory.dmp themida behavioral1/memory/1908-55-0x000000013FE80000-0x000000014079B000-memory.dmp themida behavioral1/memory/1908-56-0x000000013FE80000-0x000000014079B000-memory.dmp themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral1/memory/564-62-0x000000013F750000-0x000000014006B000-memory.dmp themida behavioral1/memory/564-63-0x000000013F750000-0x000000014006B000-memory.dmp themida behavioral1/memory/564-64-0x000000013F750000-0x000000014006B000-memory.dmp themida -
Processes:
biamou.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA biamou.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
biamou.exeIntelRapid.exepid process 1908 biamou.exe 564 IntelRapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 564 IntelRapid.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
biamou.exedescription pid process target process PID 1908 wrote to memory of 564 1908 biamou.exe IntelRapid.exe PID 1908 wrote to memory of 564 1908 biamou.exe IntelRapid.exe PID 1908 wrote to memory of 564 1908 biamou.exe IntelRapid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\biamou.exe"C:\Users\Admin\AppData\Local\Temp\biamou.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
4da9953b63df9701effcbdabf0225a47
SHA1c6b57281d09a692e818b40c56f1ef08c8a4221fb
SHA25629080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439
SHA5122e6e436dfad558c6f52db26bfa510d61ed741c8f3c4d24f755682f8f9d95662a2c2c7bffc0c518eedc9754f3f75b5e8184e6b76b34a9a7e84e007cb51d976d13
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
4da9953b63df9701effcbdabf0225a47
SHA1c6b57281d09a692e818b40c56f1ef08c8a4221fb
SHA25629080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439
SHA5122e6e436dfad558c6f52db26bfa510d61ed741c8f3c4d24f755682f8f9d95662a2c2c7bffc0c518eedc9754f3f75b5e8184e6b76b34a9a7e84e007cb51d976d13
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
4da9953b63df9701effcbdabf0225a47
SHA1c6b57281d09a692e818b40c56f1ef08c8a4221fb
SHA25629080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439
SHA5122e6e436dfad558c6f52db26bfa510d61ed741c8f3c4d24f755682f8f9d95662a2c2c7bffc0c518eedc9754f3f75b5e8184e6b76b34a9a7e84e007cb51d976d13
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
4da9953b63df9701effcbdabf0225a47
SHA1c6b57281d09a692e818b40c56f1ef08c8a4221fb
SHA25629080b370df6a00c28578de988c5429aa0fc412c0977aadb1a56d6ed40a7c439
SHA5122e6e436dfad558c6f52db26bfa510d61ed741c8f3c4d24f755682f8f9d95662a2c2c7bffc0c518eedc9754f3f75b5e8184e6b76b34a9a7e84e007cb51d976d13
-
memory/564-62-0x000000013F750000-0x000000014006B000-memory.dmpFilesize
9.1MB
-
memory/564-63-0x000000013F750000-0x000000014006B000-memory.dmpFilesize
9.1MB
-
memory/564-64-0x000000013F750000-0x000000014006B000-memory.dmpFilesize
9.1MB
-
memory/1908-54-0x000000013FE80000-0x000000014079B000-memory.dmpFilesize
9.1MB
-
memory/1908-55-0x000000013FE80000-0x000000014079B000-memory.dmpFilesize
9.1MB
-
memory/1908-56-0x000000013FE80000-0x000000014079B000-memory.dmpFilesize
9.1MB
-
memory/1908-57-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmpFilesize
8KB