Analysis
-
max time kernel
339s -
max time network
1565s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 16:18
Static task
static1
Behavioral task
behavioral1
Sample
Activate__Full__Setup.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Activate__Full__Setup.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
Activate__Full__Setup.exe
Resource
win11
General
-
Target
Activate__Full__Setup.exe
-
Size
2.5MB
-
MD5
1e07343c234d91c56b9dd6618fe2707e
-
SHA1
f6d0f9b4543897d9cc5fa6cf98003b74cdf5c237
-
SHA256
32d3346ff0178589981d808bfd950b5867e6245bd659d27341269af83785bd6e
-
SHA512
a8ecc970e83fada0bff522321376987e28224f57782deabb69c986be6f7caa9c0f9e7c85d6350ac7236f1a7c6b2e1d44230f9a92a59770793c5b2fb3df52de9b
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmp evasion behavioral2/memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmp evasion -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
File1.exeIntelRapid.exepid process 3992 File1.exe 3792 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
File1.exeIntelRapid.exeActivate__Full__Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Activate__Full__Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Activate__Full__Setup.exe -
Drops startup file 1 IoCs
Processes:
File1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk File1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmp themida behavioral2/memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\File1.exe themida C:\Users\Admin\AppData\Local\Temp\File1.exe themida behavioral2/memory/3992-120-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp themida behavioral2/memory/3992-121-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp themida behavioral2/memory/3992-122-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/3792-125-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp themida behavioral2/memory/3792-126-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp themida behavioral2/memory/3792-127-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Activate__Full__Setup.exeFile1.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Activate__Full__Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Activate__Full__Setup.exeFile1.exeIntelRapid.exepid process 676 Activate__Full__Setup.exe 3992 File1.exe 3792 IntelRapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Activate__Full__Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Activate__Full__Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Activate__Full__Setup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2444 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 3792 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Activate__Full__Setup.exepid process 676 Activate__Full__Setup.exe 676 Activate__Full__Setup.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Activate__Full__Setup.execmd.exeFile1.exedescription pid process target process PID 676 wrote to memory of 3992 676 Activate__Full__Setup.exe File1.exe PID 676 wrote to memory of 3992 676 Activate__Full__Setup.exe File1.exe PID 676 wrote to memory of 2300 676 Activate__Full__Setup.exe cmd.exe PID 676 wrote to memory of 2300 676 Activate__Full__Setup.exe cmd.exe PID 676 wrote to memory of 2300 676 Activate__Full__Setup.exe cmd.exe PID 2300 wrote to memory of 2444 2300 cmd.exe timeout.exe PID 2300 wrote to memory of 2444 2300 cmd.exe timeout.exe PID 2300 wrote to memory of 2444 2300 cmd.exe timeout.exe PID 3992 wrote to memory of 3792 3992 File1.exe IntelRapid.exe PID 3992 wrote to memory of 3792 3992 File1.exe IntelRapid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe"C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File1.exe"C:\Users\Admin\AppData\Local\Temp\File1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
87ad64114de9c4c33525d0a7d0980b82
SHA113820afec0e13be059c17ececbede09cf39b6fa5
SHA2565d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81
SHA512400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
87ad64114de9c4c33525d0a7d0980b82
SHA113820afec0e13be059c17ececbede09cf39b6fa5
SHA2565d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81
SHA512400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
87ad64114de9c4c33525d0a7d0980b82
SHA113820afec0e13be059c17ececbede09cf39b6fa5
SHA2565d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81
SHA512400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
87ad64114de9c4c33525d0a7d0980b82
SHA113820afec0e13be059c17ececbede09cf39b6fa5
SHA2565d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81
SHA512400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d
-
memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmpFilesize
6.7MB
-
memory/676-116-0x00000000772B0000-0x000000007743E000-memory.dmpFilesize
1.6MB
-
memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmpFilesize
6.7MB
-
memory/3792-125-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpFilesize
9.4MB
-
memory/3792-126-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpFilesize
9.4MB
-
memory/3792-127-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpFilesize
9.4MB
-
memory/3992-120-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpFilesize
9.4MB
-
memory/3992-121-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpFilesize
9.4MB
-
memory/3992-122-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpFilesize
9.4MB