Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 07:02
Static task
static1
Behavioral task
behavioral1
Sample
b2bbe95f39b1fa0ebaa00d29041e81ba.exe
Resource
win7-en-20211208
General
-
Target
b2bbe95f39b1fa0ebaa00d29041e81ba.exe
-
Size
3.5MB
-
MD5
b2bbe95f39b1fa0ebaa00d29041e81ba
-
SHA1
197b85e8d120d623a2b5b2d9357096042232ab7d
-
SHA256
ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd
-
SHA512
88152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
IntelRapid.exepid process 1220 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2bbe95f39b1fa0ebaa00d29041e81ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2bbe95f39b1fa0ebaa00d29041e81ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe -
Drops startup file 1 IoCs
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk b2bbe95f39b1fa0ebaa00d29041e81ba.exe -
Loads dropped DLL 3 IoCs
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exepid process 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe -
Processes:
resource yara_rule behavioral1/memory/1688-54-0x000000013F4A0000-0x000000013FE1B000-memory.dmp themida behavioral1/memory/1688-55-0x000000013F4A0000-0x000000013FE1B000-memory.dmp themida behavioral1/memory/1688-56-0x000000013F4A0000-0x000000013FE1B000-memory.dmp themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral1/memory/1220-62-0x000000013F800000-0x000000014017B000-memory.dmp themida behavioral1/memory/1220-63-0x000000013F800000-0x000000014017B000-memory.dmp themida behavioral1/memory/1220-64-0x000000013F800000-0x000000014017B000-memory.dmp themida -
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2bbe95f39b1fa0ebaa00d29041e81ba.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exeIntelRapid.exepid process 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe 1220 IntelRapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 1220 IntelRapid.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b2bbe95f39b1fa0ebaa00d29041e81ba.exedescription pid process target process PID 1688 wrote to memory of 1220 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe IntelRapid.exe PID 1688 wrote to memory of 1220 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe IntelRapid.exe PID 1688 wrote to memory of 1220 1688 b2bbe95f39b1fa0ebaa00d29041e81ba.exe IntelRapid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2bbe95f39b1fa0ebaa00d29041e81ba.exe"C:\Users\Admin\AppData\Local\Temp\b2bbe95f39b1fa0ebaa00d29041e81ba.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
b2bbe95f39b1fa0ebaa00d29041e81ba
SHA1197b85e8d120d623a2b5b2d9357096042232ab7d
SHA256ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd
SHA51288152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
b2bbe95f39b1fa0ebaa00d29041e81ba
SHA1197b85e8d120d623a2b5b2d9357096042232ab7d
SHA256ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd
SHA51288152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
b2bbe95f39b1fa0ebaa00d29041e81ba
SHA1197b85e8d120d623a2b5b2d9357096042232ab7d
SHA256ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd
SHA51288152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
b2bbe95f39b1fa0ebaa00d29041e81ba
SHA1197b85e8d120d623a2b5b2d9357096042232ab7d
SHA256ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd
SHA51288152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29
-
memory/1220-62-0x000000013F800000-0x000000014017B000-memory.dmpFilesize
9.5MB
-
memory/1220-63-0x000000013F800000-0x000000014017B000-memory.dmpFilesize
9.5MB
-
memory/1220-64-0x000000013F800000-0x000000014017B000-memory.dmpFilesize
9.5MB
-
memory/1688-54-0x000000013F4A0000-0x000000013FE1B000-memory.dmpFilesize
9.5MB
-
memory/1688-55-0x000000013F4A0000-0x000000013FE1B000-memory.dmpFilesize
9.5MB
-
memory/1688-56-0x000000013F4A0000-0x000000013FE1B000-memory.dmpFilesize
9.5MB
-
memory/1688-57-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB