IntelRapid.exe

General
Target

IntelRapid.exe

Filesize

3MB

Completed

19-01-2022 14:30

Score
9/10
MD5

a9334eeb8615854db602db4447beeab2

SHA1

066ad5133b7435b75fe10d7af693c9b6811dc7a9

SHA256

d819e0689e1782f676e1644d503f31dae35589ea29b2b7169f69b81abea21d75

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    IntelRapid.exe

    Reported IOCs

    pidprocess
    1660IntelRapid.exe
  • Checks BIOS information in registry
    IntelRapid.exeIntelRapid.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
  • Drops startup file
    IntelRapid.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnkIntelRapid.exe
  • Loads dropped DLL
    IntelRapid.exe

    Reported IOCs

    pidprocess
    1636IntelRapid.exe
    1636IntelRapid.exe
    1636IntelRapid.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1636-54-0x000000013F9C0000-0x0000000140331000-memory.dmpthemida
    behavioral1/memory/1636-55-0x000000013F9C0000-0x0000000140331000-memory.dmpthemida
    behavioral1/memory/1636-56-0x000000013F9C0000-0x0000000140331000-memory.dmpthemida
    behavioral1/files/0x0007000000013225-58.datthemida
    behavioral1/files/0x0007000000013225-59.datthemida
    behavioral1/files/0x0007000000013225-60.datthemida
    behavioral1/files/0x0007000000013225-61.datthemida
    behavioral1/memory/1660-62-0x000000013FE50000-0x00000001407C1000-memory.dmpthemida
    behavioral1/memory/1660-63-0x000000013FE50000-0x00000001407C1000-memory.dmpthemida
    behavioral1/memory/1660-64-0x000000013FE50000-0x00000001407C1000-memory.dmpthemida
  • Checks whether UAC is enabled
    IntelRapid.exeIntelRapid.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    IntelRapid.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    1636IntelRapid.exe
    1660IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    1660IntelRapid.exe
  • Suspicious use of WriteProcessMemory
    IntelRapid.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1636 wrote to memory of 16601636IntelRapid.exeIntelRapid.exe
    PID 1636 wrote to memory of 16601636IntelRapid.exeIntelRapid.exe
    PID 1636 wrote to memory of 16601636IntelRapid.exeIntelRapid.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\IntelRapid.exe
    "C:\Users\Admin\AppData\Local\Temp\IntelRapid.exe"
    Checks BIOS information in registry
    Drops startup file
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:1660
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        a9334eeb8615854db602db4447beeab2

                        SHA1

                        066ad5133b7435b75fe10d7af693c9b6811dc7a9

                        SHA256

                        d819e0689e1782f676e1644d503f31dae35589ea29b2b7169f69b81abea21d75

                        SHA512

                        a2f27c7716e2d7c2091a4f4a8b7fab7a9bd32d1640411cb9799756427b10468bc917963dab13c626d63fc6e0a081308779160f44a2987e68c250b41998d43b5c

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        a9334eeb8615854db602db4447beeab2

                        SHA1

                        066ad5133b7435b75fe10d7af693c9b6811dc7a9

                        SHA256

                        d819e0689e1782f676e1644d503f31dae35589ea29b2b7169f69b81abea21d75

                        SHA512

                        a2f27c7716e2d7c2091a4f4a8b7fab7a9bd32d1640411cb9799756427b10468bc917963dab13c626d63fc6e0a081308779160f44a2987e68c250b41998d43b5c

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        a9334eeb8615854db602db4447beeab2

                        SHA1

                        066ad5133b7435b75fe10d7af693c9b6811dc7a9

                        SHA256

                        d819e0689e1782f676e1644d503f31dae35589ea29b2b7169f69b81abea21d75

                        SHA512

                        a2f27c7716e2d7c2091a4f4a8b7fab7a9bd32d1640411cb9799756427b10468bc917963dab13c626d63fc6e0a081308779160f44a2987e68c250b41998d43b5c

                      • \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                        MD5

                        a9334eeb8615854db602db4447beeab2

                        SHA1

                        066ad5133b7435b75fe10d7af693c9b6811dc7a9

                        SHA256

                        d819e0689e1782f676e1644d503f31dae35589ea29b2b7169f69b81abea21d75

                        SHA512

                        a2f27c7716e2d7c2091a4f4a8b7fab7a9bd32d1640411cb9799756427b10468bc917963dab13c626d63fc6e0a081308779160f44a2987e68c250b41998d43b5c

                      • memory/1636-56-0x000000013F9C0000-0x0000000140331000-memory.dmp

                      • memory/1636-57-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

                      • memory/1636-54-0x000000013F9C0000-0x0000000140331000-memory.dmp

                      • memory/1636-55-0x000000013F9C0000-0x0000000140331000-memory.dmp

                      • memory/1660-62-0x000000013FE50000-0x00000001407C1000-memory.dmp

                      • memory/1660-63-0x000000013FE50000-0x00000001407C1000-memory.dmp

                      • memory/1660-64-0x000000013FE50000-0x00000001407C1000-memory.dmp