Activate__Full__Setup.exe

General
Target

Activate__Full__Setup.exe

Filesize

2MB

Completed

19-01-2022 16:49

Score
10/10
MD5

1e07343c234d91c56b9dd6618fe2707e

SHA1

f6d0f9b4543897d9cc5fa6cf98003b74cdf5c237

SHA256

32d3346ff0178589981d808bfd950b5867e6245bd659d27341269af83785bd6e

Malware Config
Signatures 18

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • evasion

    Description

    evasion.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmpevasion
    behavioral2/memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmpevasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Downloads MZ/PE file
  • Executes dropped EXE
    File1.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    3992File1.exe
    3792IntelRapid.exe
  • Checks BIOS information in registry
    File1.exeIntelRapid.exeActivate__Full__Setup.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionFile1.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionFile1.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionIntelRapid.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionActivate__Full__Setup.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionActivate__Full__Setup.exe
  • Drops startup file
    File1.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnkFile1.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmpthemida
    behavioral2/memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmpthemida
    behavioral2/files/0x000500000001ab44-119.datthemida
    behavioral2/files/0x000500000001ab44-118.datthemida
    behavioral2/memory/3992-120-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpthemida
    behavioral2/memory/3992-121-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpthemida
    behavioral2/memory/3992-122-0x00007FF7821D0000-0x00007FF782B41000-memory.dmpthemida
    behavioral2/files/0x000500000001ab46-123.datthemida
    behavioral2/files/0x000500000001ab46-124.datthemida
    behavioral2/memory/3792-125-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpthemida
    behavioral2/memory/3792-126-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpthemida
    behavioral2/memory/3792-127-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmpthemida
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    Activate__Full__Setup.exeFile1.exeIntelRapid.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAActivate__Full__Setup.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAFile1.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAIntelRapid.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    Activate__Full__Setup.exeFile1.exeIntelRapid.exe

    Reported IOCs

    pidprocess
    676Activate__Full__Setup.exe
    3992File1.exe
    3792IntelRapid.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    Activate__Full__Setup.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Activate__Full__Setup.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringActivate__Full__Setup.exe
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    2444timeout.exe
  • Suspicious behavior: AddClipboardFormatListener
    IntelRapid.exe

    Reported IOCs

    pidprocess
    3792IntelRapid.exe
  • Suspicious behavior: EnumeratesProcesses
    Activate__Full__Setup.exe

    Reported IOCs

    pidprocess
    676Activate__Full__Setup.exe
    676Activate__Full__Setup.exe
  • Suspicious use of WriteProcessMemory
    Activate__Full__Setup.execmd.exeFile1.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 676 wrote to memory of 3992676Activate__Full__Setup.exeFile1.exe
    PID 676 wrote to memory of 3992676Activate__Full__Setup.exeFile1.exe
    PID 676 wrote to memory of 2300676Activate__Full__Setup.execmd.exe
    PID 676 wrote to memory of 2300676Activate__Full__Setup.execmd.exe
    PID 676 wrote to memory of 2300676Activate__Full__Setup.execmd.exe
    PID 2300 wrote to memory of 24442300cmd.exetimeout.exe
    PID 2300 wrote to memory of 24442300cmd.exetimeout.exe
    PID 2300 wrote to memory of 24442300cmd.exetimeout.exe
    PID 3992 wrote to memory of 37923992File1.exeIntelRapid.exe
    PID 3992 wrote to memory of 37923992File1.exeIntelRapid.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe"
    Checks BIOS information in registry
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Checks processor information in registry
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:676
    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      "C:\Users\Admin\AppData\Local\Temp\File1.exe"
      Executes dropped EXE
      Checks BIOS information in registry
      Drops startup file
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
        "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: AddClipboardFormatListener
        PID:3792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Activate__Full__Setup.exe"
      Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3
        Delays execution with timeout.exe
        PID:2444
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\File1.exe

                    MD5

                    87ad64114de9c4c33525d0a7d0980b82

                    SHA1

                    13820afec0e13be059c17ececbede09cf39b6fa5

                    SHA256

                    5d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81

                    SHA512

                    400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d

                  • C:\Users\Admin\AppData\Local\Temp\File1.exe

                    MD5

                    87ad64114de9c4c33525d0a7d0980b82

                    SHA1

                    13820afec0e13be059c17ececbede09cf39b6fa5

                    SHA256

                    5d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81

                    SHA512

                    400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d

                  • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                    MD5

                    87ad64114de9c4c33525d0a7d0980b82

                    SHA1

                    13820afec0e13be059c17ececbede09cf39b6fa5

                    SHA256

                    5d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81

                    SHA512

                    400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d

                  • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

                    MD5

                    87ad64114de9c4c33525d0a7d0980b82

                    SHA1

                    13820afec0e13be059c17ececbede09cf39b6fa5

                    SHA256

                    5d84c220f8fb9c93119698ba3212298e99fe688a1b7c749adb64a6d86a823f81

                    SHA512

                    400a04039b1ca6851209574b53a3b90a218b6f324773528b0ccba2809e0475f4b5620e8f2d8575621ffbe67308759443720e3a2197da9bb8ed0f33e35a18607d

                  • memory/676-116-0x00000000772B0000-0x000000007743E000-memory.dmp

                  • memory/676-117-0x0000000000210000-0x00000000008C1000-memory.dmp

                  • memory/676-115-0x0000000000210000-0x00000000008C1000-memory.dmp

                  • memory/3792-127-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp

                  • memory/3792-125-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp

                  • memory/3792-126-0x00007FF6B2070000-0x00007FF6B29E1000-memory.dmp

                  • memory/3992-122-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp

                  • memory/3992-120-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp

                  • memory/3992-121-0x00007FF7821D0000-0x00007FF782B41000-memory.dmp