af9545784edefd0e644ebd910a6f09fe4def979483fe5058e8c92716e40c5f19

General

Target

Open___Full__Setup__3456.exe
Size

2.5MB
MD5

bb2e28ec4f00491a1678c0d2772ddd68
SHA1

0217f0c082acc73a472a51eef7b1a7b2dffd3d1d
SHA256

af9545784edefd0e644ebd910a6f09fe4def979483fe5058e8c92716e40c5f19
SHA512

afd5704e40b80881a492e5d76ce9ce8c7c2dc6bada6399a461cc9627204dd69820b41afd9ca821d873b14b00ba3d308bda469a06f9b0cc2717cfedff903b9087

Score

9^/10

discovery evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

File1.exeIntelRapid.exe

pid process

3100 File1.exe
1340 IntelRapid.exe

pid	process
3100	File1.exe
1340	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Open___Full__Setup__3456.exeFile1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Open___Full__Setup__3456.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	File1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	File1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Open___Full__Setup__3456.exe

Drops startup file 1 IoCs

Processes:

File1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk File1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	File1.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1824-117-0x00000000009D0000-0x0000000001049000-memory.dmp	themida
behavioral2/memory/1824-118-0x00000000009D0000-0x0000000001049000-memory.dmp	themida
behavioral2/memory/1824-120-0x00000000009D0000-0x0000000001049000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\File1.exe	themida
C:\Users\Admin\AppData\Local\Temp\File1.exe	themida
behavioral2/memory/3100-279-0x00007FF690470000-0x00007FF690D84000-memory.dmp	themida
behavioral2/memory/3100-280-0x00007FF690470000-0x00007FF690D84000-memory.dmp	themida
behavioral2/memory/3100-281-0x00007FF690470000-0x00007FF690D84000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/1340-284-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp	themida
behavioral2/memory/1340-285-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp	themida
behavioral2/memory/1340-286-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Open___Full__Setup__3456.exeFile1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Open___Full__Setup__3456.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	File1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Open___Full__Setup__3456.exeFile1.exeIntelRapid.exe

pid process

1824 Open___Full__Setup__3456.exe
3100 File1.exe
1340 IntelRapid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1824	Open___Full__Setup__3456.exe
3100	File1.exe
1340	IntelRapid.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Open___Full__Setup__3456.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Open___Full__Setup__3456.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Open___Full__Setup__3456.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1340 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Open___Full__Setup__3456.exe

pid process

1824 Open___Full__Setup__3456.exe
1824 Open___Full__Setup__3456.exe

pid	process
1340	IntelRapid.exe

pid	process
1824	Open___Full__Setup__3456.exe
1824	Open___Full__Setup__3456.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Open___Full__Setup__3456.exeFile1.exe

description	pid	process	target process
PID 1824 wrote to memory of 3100	1824	Open___Full__Setup__3456.exe	File1.exe
PID 1824 wrote to memory of 3100	1824	Open___Full__Setup__3456.exe	File1.exe
PID 3100 wrote to memory of 1340	3100	File1.exe	IntelRapid.exe
PID 3100 wrote to memory of 1340	3100	File1.exe	IntelRapid.exe

C:\Users\Admin\AppData\Local\Temp\Open___Full__Setup__3456.exe
"C:\Users\Admin\AppData\Local\Temp\Open___Full__Setup__3456.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\File1.exe
"C:\Users\Admin\AppData\Local\Temp\File1.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File1.exe
MD5
f2343615c2cc5b73ac545ed9e8b5cbb5

SHA1
c035d0e8d0ea08fcf46516a424cd3a5fdc118d88

SHA256
1c02a87dc806fc74d06f77aad34c3d77f1a6f62aaf387e23c5576ee509c330dd

SHA512
110e72dfd3e7d96090d21db504359b12a2c4a7fa4e29c761b4b87ed4343d257023506776d53cb91e1d1e121865c04e82f087b7126992931db08995427ea69e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\File1.exe
MD5
f2343615c2cc5b73ac545ed9e8b5cbb5

SHA1
c035d0e8d0ea08fcf46516a424cd3a5fdc118d88

SHA256
1c02a87dc806fc74d06f77aad34c3d77f1a6f62aaf387e23c5576ee509c330dd

SHA512
110e72dfd3e7d96090d21db504359b12a2c4a7fa4e29c761b4b87ed4343d257023506776d53cb91e1d1e121865c04e82f087b7126992931db08995427ea69e44

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
f2343615c2cc5b73ac545ed9e8b5cbb5

SHA1
c035d0e8d0ea08fcf46516a424cd3a5fdc118d88

SHA256
1c02a87dc806fc74d06f77aad34c3d77f1a6f62aaf387e23c5576ee509c330dd

SHA512
110e72dfd3e7d96090d21db504359b12a2c4a7fa4e29c761b4b87ed4343d257023506776d53cb91e1d1e121865c04e82f087b7126992931db08995427ea69e44

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
f2343615c2cc5b73ac545ed9e8b5cbb5

SHA1
c035d0e8d0ea08fcf46516a424cd3a5fdc118d88

SHA256
1c02a87dc806fc74d06f77aad34c3d77f1a6f62aaf387e23c5576ee509c330dd

SHA512
110e72dfd3e7d96090d21db504359b12a2c4a7fa4e29c761b4b87ed4343d257023506776d53cb91e1d1e121865c04e82f087b7126992931db08995427ea69e44

Download Submit
memory/1340-286-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp

Filesize
9.1MB

Download
memory/1340-285-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp

Filesize
9.1MB

Download
memory/1340-284-0x00007FF63E330000-0x00007FF63EC44000-memory.dmp

Filesize
9.1MB

Download
memory/1824-120-0x00000000009D0000-0x0000000001049000-memory.dmp

Filesize
6.5MB

Download
memory/1824-117-0x00000000009D0000-0x0000000001049000-memory.dmp

Filesize
6.5MB

Download
memory/1824-119-0x00000000775C0000-0x000000007774E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-118-0x00000000009D0000-0x0000000001049000-memory.dmp

Filesize
6.5MB

Download
memory/3100-281-0x00007FF690470000-0x00007FF690D84000-memory.dmp

Filesize
9.1MB

Download
memory/3100-280-0x00007FF690470000-0x00007FF690D84000-memory.dmp

Filesize
9.1MB

Download
memory/3100-279-0x00007FF690470000-0x00007FF690D84000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads