Analysis
-
max time kernel
17s -
max time network
17s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-01-2022 11:30
Static task
static1
Behavioral task
behavioral1
Sample
muyesi.exe
Resource
win7-en-20211208
General
-
Target
muyesi.exe
-
Size
3.5MB
-
MD5
65c50d3c08ea164e7919b8b867d5d186
-
SHA1
a4d7ef571989369d9776cd53d6c1df6b70fe4631
-
SHA256
89e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
-
SHA512
bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
IntelRapid.exepid process 952 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IntelRapid.exemuyesi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion muyesi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion muyesi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe -
Drops startup file 1 IoCs
Processes:
muyesi.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk muyesi.exe -
Loads dropped DLL 3 IoCs
Processes:
muyesi.exepid process 960 muyesi.exe 960 muyesi.exe 960 muyesi.exe -
Processes:
resource yara_rule behavioral1/memory/960-54-0x000000013FC90000-0x000000014060A000-memory.dmp themida behavioral1/memory/960-55-0x000000013FC90000-0x000000014060A000-memory.dmp themida behavioral1/memory/960-56-0x000000013FC90000-0x000000014060A000-memory.dmp themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral1/memory/952-62-0x000000013F070000-0x000000013F9EA000-memory.dmp themida behavioral1/memory/952-63-0x000000013F070000-0x000000013F9EA000-memory.dmp themida behavioral1/memory/952-64-0x000000013F070000-0x000000013F9EA000-memory.dmp themida -
Processes:
muyesi.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA muyesi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
muyesi.exeIntelRapid.exepid process 960 muyesi.exe 952 IntelRapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 952 IntelRapid.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
muyesi.exedescription pid process target process PID 960 wrote to memory of 952 960 muyesi.exe IntelRapid.exe PID 960 wrote to memory of 952 960 muyesi.exe IntelRapid.exe PID 960 wrote to memory of 952 960 muyesi.exe IntelRapid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\muyesi.exe"C:\Users\Admin\AppData\Local\Temp\muyesi.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
65c50d3c08ea164e7919b8b867d5d186
SHA1a4d7ef571989369d9776cd53d6c1df6b70fe4631
SHA25689e6c206fda9f3a617f7e71dff1046389aae8897e231d6d19d2da692a54b4a01
SHA512bf628c28ae7a0bc95ea54b70504eb7cd1b3f6dd3b6f2e3a37ddefcc75f60cde9ac39588bc63092857aa41ecd22ebc3ab1c609ffba4fe88267b7239f91f503009
-
memory/952-62-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/952-63-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/952-64-0x000000013F070000-0x000000013F9EA000-memory.dmpFilesize
9.5MB
-
memory/960-54-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-55-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-56-0x000000013FC90000-0x000000014060A000-memory.dmpFilesize
9.5MB
-
memory/960-57-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmpFilesize
8KB