Analysis
-
max time kernel
17s -
max time network
17s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-01-2022 11:30
General
-
Target
muyesi.exe
-
Size
3.5MB
-
MD5
65c50d3c08ea164e7919b8b867d5d186
-
SHA1
a4d7ef571989369d9776cd53d6c1df6b70fe4631
-
SHA256
89e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
-
SHA512
bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\muyesi.exe"C:\Users\Admin\AppData\Local\Temp\muyesi.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
memory/952-62-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/952-63-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/952-64-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/960-54-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-55-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-56-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-57-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmpFilesize
8KB