Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 11:39
General
-
Target
mavens.exe
-
Size
3.4MB
-
MD5
1445a079cffefabf92f9ee3d2c2c9c88
-
SHA1
c1ab03fa2e44bafa4017246b2f5fc96852fe8364
-
SHA256
d3aad4415b67f005f10853d19d7560f2ce3e9b85d41e87c278a6635e05996907
-
SHA512
7e809d7cc0e6f29c275ca50c7f590f30fc627de98f9bcf9a6c20ef1929c917dd5f38df9f8d6bee5dd035816cbb18f37512928b6e15efcbaf05b96da0579e95db
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mavens.exe"C:\Users\Admin\AppData\Local\Temp\mavens.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1445a079cffefabf92f9ee3d2c2c9c88
SHA1c1ab03fa2e44bafa4017246b2f5fc96852fe8364
SHA256d3aad4415b67f005f10853d19d7560f2ce3e9b85d41e87c278a6635e05996907
SHA5127e809d7cc0e6f29c275ca50c7f590f30fc627de98f9bcf9a6c20ef1929c917dd5f38df9f8d6bee5dd035816cbb18f37512928b6e15efcbaf05b96da0579e95db
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1445a079cffefabf92f9ee3d2c2c9c88
SHA1c1ab03fa2e44bafa4017246b2f5fc96852fe8364
SHA256d3aad4415b67f005f10853d19d7560f2ce3e9b85d41e87c278a6635e05996907
SHA5127e809d7cc0e6f29c275ca50c7f590f30fc627de98f9bcf9a6c20ef1929c917dd5f38df9f8d6bee5dd035816cbb18f37512928b6e15efcbaf05b96da0579e95db
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1445a079cffefabf92f9ee3d2c2c9c88
SHA1c1ab03fa2e44bafa4017246b2f5fc96852fe8364
SHA256d3aad4415b67f005f10853d19d7560f2ce3e9b85d41e87c278a6635e05996907
SHA5127e809d7cc0e6f29c275ca50c7f590f30fc627de98f9bcf9a6c20ef1929c917dd5f38df9f8d6bee5dd035816cbb18f37512928b6e15efcbaf05b96da0579e95db
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
1445a079cffefabf92f9ee3d2c2c9c88
SHA1c1ab03fa2e44bafa4017246b2f5fc96852fe8364
SHA256d3aad4415b67f005f10853d19d7560f2ce3e9b85d41e87c278a6635e05996907
SHA5127e809d7cc0e6f29c275ca50c7f590f30fc627de98f9bcf9a6c20ef1929c917dd5f38df9f8d6bee5dd035816cbb18f37512928b6e15efcbaf05b96da0579e95db
-
memory/332-62-0x000000013F900000-0x0000000140226000-memory.dmpFilesize
9.1MB
-
memory/332-63-0x000000013F900000-0x0000000140226000-memory.dmpFilesize
9.1MB
-
memory/1520-54-0x000000013F8F0000-0x0000000140216000-memory.dmpFilesize
9.1MB
-
memory/1520-55-0x000000013F8F0000-0x0000000140216000-memory.dmpFilesize
9.1MB
-
memory/1520-56-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB
-
memory/1520-57-0x0000000077B90000-0x0000000077B92000-memory.dmpFilesize
8KB