Analysis
-
max time kernel
373s -
max time network
358s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 14:11
Static task
static1
Behavioral task
behavioral1
Sample
ACTIVATE____SETUP__4695.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ACTIVATE____SETUP__4695.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
ACTIVATE____SETUP__4695.exe
Resource
win11
General
-
Target
ACTIVATE____SETUP__4695.exe
-
Size
744KB
-
MD5
849bf640bf914ec675b9477a802a22f9
-
SHA1
e1a12595f8c9d48416ec342cd4037a32f3fdda24
-
SHA256
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
-
SHA512
763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Accostarmi.exe.pifFile1.exeIntelRapid.exepid process 1392 Accostarmi.exe.pif 876 File1.exe 1688 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IntelRapid.exeFile1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File1.exe -
Drops startup file 1 IoCs
Processes:
File1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk File1.exe -
Loads dropped DLL 7 IoCs
Processes:
Accostarmi.exe.pifpid process 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\File1.exe themida C:\Users\Admin\AppData\Local\Temp\File1.exe themida behavioral2/memory/876-130-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp themida behavioral2/memory/876-131-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp themida behavioral2/memory/876-132-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/1688-135-0x00007FF60B940000-0x00007FF60C238000-memory.dmp themida behavioral2/memory/1688-136-0x00007FF60B940000-0x00007FF60C238000-memory.dmp themida behavioral2/memory/1688-137-0x00007FF60B940000-0x00007FF60C238000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
File1.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
File1.exeIntelRapid.exepid process 876 File1.exe 1688 IntelRapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Accostarmi.exe.pifdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Accostarmi.exe.pif Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Accostarmi.exe.pif -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3336 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2212 tasklist.exe 2660 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 1688 IntelRapid.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2212 tasklist.exe Token: SeDebugPrivilege 2660 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Accostarmi.exe.pifpid process 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Accostarmi.exe.pifpid process 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif 1392 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
ACTIVATE____SETUP__4695.execmd.execmd.exeAccostarmi.exe.pifcmd.exeFile1.exedescription pid process target process PID 2712 wrote to memory of 2416 2712 ACTIVATE____SETUP__4695.exe dllhost.exe PID 2712 wrote to memory of 2416 2712 ACTIVATE____SETUP__4695.exe dllhost.exe PID 2712 wrote to memory of 2416 2712 ACTIVATE____SETUP__4695.exe dllhost.exe PID 2712 wrote to memory of 580 2712 ACTIVATE____SETUP__4695.exe cmd.exe PID 2712 wrote to memory of 580 2712 ACTIVATE____SETUP__4695.exe cmd.exe PID 2712 wrote to memory of 580 2712 ACTIVATE____SETUP__4695.exe cmd.exe PID 580 wrote to memory of 2220 580 cmd.exe cmd.exe PID 580 wrote to memory of 2220 580 cmd.exe cmd.exe PID 580 wrote to memory of 2220 580 cmd.exe cmd.exe PID 2220 wrote to memory of 2212 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 2212 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 2212 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 3460 2220 cmd.exe find.exe PID 2220 wrote to memory of 3460 2220 cmd.exe find.exe PID 2220 wrote to memory of 3460 2220 cmd.exe find.exe PID 2220 wrote to memory of 2660 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 2660 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 2660 2220 cmd.exe tasklist.exe PID 2220 wrote to memory of 1684 2220 cmd.exe find.exe PID 2220 wrote to memory of 1684 2220 cmd.exe find.exe PID 2220 wrote to memory of 1684 2220 cmd.exe find.exe PID 2220 wrote to memory of 1552 2220 cmd.exe findstr.exe PID 2220 wrote to memory of 1552 2220 cmd.exe findstr.exe PID 2220 wrote to memory of 1552 2220 cmd.exe findstr.exe PID 2220 wrote to memory of 1392 2220 cmd.exe Accostarmi.exe.pif PID 2220 wrote to memory of 1392 2220 cmd.exe Accostarmi.exe.pif PID 2220 wrote to memory of 1392 2220 cmd.exe Accostarmi.exe.pif PID 2220 wrote to memory of 1192 2220 cmd.exe waitfor.exe PID 2220 wrote to memory of 1192 2220 cmd.exe waitfor.exe PID 2220 wrote to memory of 1192 2220 cmd.exe waitfor.exe PID 1392 wrote to memory of 876 1392 Accostarmi.exe.pif File1.exe PID 1392 wrote to memory of 876 1392 Accostarmi.exe.pif File1.exe PID 1392 wrote to memory of 2980 1392 Accostarmi.exe.pif cmd.exe PID 1392 wrote to memory of 2980 1392 Accostarmi.exe.pif cmd.exe PID 1392 wrote to memory of 2980 1392 Accostarmi.exe.pif cmd.exe PID 2980 wrote to memory of 3336 2980 cmd.exe timeout.exe PID 2980 wrote to memory of 3336 2980 cmd.exe timeout.exe PID 2980 wrote to memory of 3336 2980 cmd.exe timeout.exe PID 876 wrote to memory of 1688 876 File1.exe IntelRapid.exe PID 876 wrote to memory of 1688 876 File1.exe IntelRapid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Nel.xls2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^HSpZWdXvufzDAYGXjZABuYRJLvHBPEtTIkAzCKbYUuhbCfMdrpLnpmdIqmgmIvGBkAVfbjxBBCGZLxicKsnFSFJoVSzecYfbmLjezbSQPlXHSd$" Questo.xls4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif x4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File1.exe"C:\Users\Admin\AppData\Local\Temp\File1.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 36⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 aRUpIzAL4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nel.xlsMD5
a338f121bc7c0acf5f297bf85f150b7f
SHA1b1b4dd45417c0907dabf3cd93ea6410c73df5325
SHA2564556a5e53c426abe5565342d9b091134ebc4aaaedafb00454f0a248ff78e1668
SHA512fa6b633dd69bf0cc195b093417001517e3dbe22f516109a4180d853849741b44fe8fc00264135ab8686512dc8b58a01b7727f8c3a89de121b6a176a14f0485c0
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questo.xlsMD5
0d8fea82e82b1fa16b1dc714d106830c
SHA1ee9b15e9c380bbd6ac6431aae8f4625fecb77bec
SHA25636c088f98ef9b8fe659e23f01a15c72b6b9824faedbfd9ae78e00de536f80ed6
SHA512de6dd75f8086aee2a50f4042586400b563dfe5a551195567a7ba3caaaf7c80342f47c6b452f1a97118b02eaf984c2cf350fbc2bf5b0194c6f147f84f3d268494
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.xlsMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xMD5
cee0255c4b09a8487fb1d965c91b2769
SHA130e68f2c59d67c9dbde4366a91f07b6d2ad7a576
SHA2565bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3
SHA512d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
1dc6fde69a188e99f72f3056d68fd77e
SHA1044dbfb0e1b6af5dde72642aeae275c66cae2a9f
SHA2561badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913
SHA512f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
1dc6fde69a188e99f72f3056d68fd77e
SHA1044dbfb0e1b6af5dde72642aeae275c66cae2a9f
SHA2561badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913
SHA512f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1dc6fde69a188e99f72f3056d68fd77e
SHA1044dbfb0e1b6af5dde72642aeae275c66cae2a9f
SHA2561badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913
SHA512f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1dc6fde69a188e99f72f3056d68fd77e
SHA1044dbfb0e1b6af5dde72642aeae275c66cae2a9f
SHA2561badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913
SHA512f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dllMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/876-131-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmpFilesize
9.0MB
-
memory/876-132-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmpFilesize
9.0MB
-
memory/876-130-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmpFilesize
9.0MB
-
memory/1688-135-0x00007FF60B940000-0x00007FF60C238000-memory.dmpFilesize
9.0MB
-
memory/1688-136-0x00007FF60B940000-0x00007FF60C238000-memory.dmpFilesize
9.0MB
-
memory/1688-137-0x00007FF60B940000-0x00007FF60C238000-memory.dmpFilesize
9.0MB