Analysis
-
max time kernel
129s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 13:49
Static task
static1
Behavioral task
behavioral1
Sample
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
Resource
win7-en-20211208
General
-
Target
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe
-
Size
6.0MB
-
MD5
910713f54a0416c342cc46bbed1c53e3
-
SHA1
4363b9485c120676e5151974a4f682460a99d9d9
-
SHA256
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83
-
SHA512
7e67cf773c0cd4afeae39b9a75e688d8c95f233fa8b0a40c1b07a786e4a108811e3a44acfb4b75a25ceae3dd2f15236b0c09ea272ea5621e1ddd8274ab2ccb50
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1788 created 1256 1788 WerFault.exe cleoidvp.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
before.execleoidvp.exeIntelRapid.exepid process 4716 before.exe 1256 cleoidvp.exe 2368 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
before.exeIntelRapid.execleoidvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion before.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion before.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cleoidvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cleoidvp.exe -
Drops startup file 1 IoCs
Processes:
before.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk before.exe -
Loads dropped DLL 1 IoCs
Processes:
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exepid process 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\droopt\before.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\before.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe themida C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe themida behavioral2/memory/4716-135-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp themida behavioral2/memory/4716-136-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp themida behavioral2/memory/4716-138-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral2/memory/2368-141-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp themida behavioral2/memory/2368-142-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp themida behavioral2/memory/2368-143-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmp themida behavioral2/memory/1256-144-0x00000000007F0000-0x0000000000EB1000-memory.dmp themida behavioral2/memory/1256-145-0x00000000007F0000-0x0000000000EB1000-memory.dmp themida behavioral2/memory/1256-146-0x00000000007F0000-0x0000000000EB1000-memory.dmp themida -
Processes:
before.exeIntelRapid.execleoidvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA before.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cleoidvp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
before.exeIntelRapid.execleoidvp.exepid process 4716 before.exe 2368 IntelRapid.exe 1256 cleoidvp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acledit.dll 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe -
Drops file in Windows directory 9 IoCs
Processes:
svchost.exeWerFault.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3136 1256 WerFault.exe cleoidvp.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cleoidvp.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cleoidvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cleoidvp.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 2368 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cleoidvp.exeWerFault.exepid process 1256 cleoidvp.exe 1256 cleoidvp.exe 3136 WerFault.exe 3136 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeWerFault.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1524 svchost.exe Token: SeCreatePagefilePrivilege 1524 svchost.exe Token: SeShutdownPrivilege 1524 svchost.exe Token: SeCreatePagefilePrivilege 1524 svchost.exe Token: SeShutdownPrivilege 1524 svchost.exe Token: SeCreatePagefilePrivilege 1524 svchost.exe Token: SeRestorePrivilege 3136 WerFault.exe Token: SeBackupPrivilege 3136 WerFault.exe Token: SeBackupPrivilege 3136 WerFault.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe Token: SeRestorePrivilege 4300 TiWorker.exe Token: SeSecurityPrivilege 4300 TiWorker.exe Token: SeBackupPrivilege 4300 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exebefore.exeWerFault.exedescription pid process target process PID 4020 wrote to memory of 4716 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe before.exe PID 4020 wrote to memory of 4716 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe before.exe PID 4020 wrote to memory of 1256 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe cleoidvp.exe PID 4020 wrote to memory of 1256 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe cleoidvp.exe PID 4020 wrote to memory of 1256 4020 4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe cleoidvp.exe PID 4716 wrote to memory of 2368 4716 before.exe IntelRapid.exe PID 4716 wrote to memory of 2368 4716 before.exe IntelRapid.exe PID 1788 wrote to memory of 1256 1788 WerFault.exe cleoidvp.exe PID 1788 wrote to memory of 1256 1788 WerFault.exe cleoidvp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe"C:\Users\Admin\AppData\Local\Temp\4634c70711270fa33ac44c43db967cc85b7e273aa47eabd07eaf7f215c89af83.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\droopt\before.exe"C:\Users\Admin\AppData\Local\Temp\droopt\before.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe"C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 13403⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1256 -ip 12561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\droopt\before.exeMD5
a5f561f29f736a1f99ef726773628fa3
SHA1acf172fa11ee345a6041784ef9f1021307f598dd
SHA256333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822
SHA512ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c
-
C:\Users\Admin\AppData\Local\Temp\droopt\before.exeMD5
a5f561f29f736a1f99ef726773628fa3
SHA1acf172fa11ee345a6041784ef9f1021307f598dd
SHA256333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822
SHA512ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c
-
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exeMD5
fda089a638a02b64c5175fbed3e4918b
SHA1eef6c75a650b5d1f2f34b988fc88ceb328312c15
SHA256f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f
SHA5127a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96
-
C:\Users\Admin\AppData\Local\Temp\droopt\cleoidvp.exeMD5
fda089a638a02b64c5175fbed3e4918b
SHA1eef6c75a650b5d1f2f34b988fc88ceb328312c15
SHA256f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f
SHA5127a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96
-
C:\Users\Admin\AppData\Local\Temp\nsi6DEB.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
a5f561f29f736a1f99ef726773628fa3
SHA1acf172fa11ee345a6041784ef9f1021307f598dd
SHA256333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822
SHA512ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
a5f561f29f736a1f99ef726773628fa3
SHA1acf172fa11ee345a6041784ef9f1021307f598dd
SHA256333acbfe28976ee28514bb425c2c461026572d0003a7378fba366716e408d822
SHA512ff75d12f607e407d190802be88f319cc6750f3898bc411199f3fd6976e24ed55296fed7ef562f97cbeb61cb1c0b3b635fba999c0780561c2f5a1b88d2b56160c
-
memory/1256-145-0x00000000007F0000-0x0000000000EB1000-memory.dmpFilesize
6.8MB
-
memory/1256-147-0x00000000778C4000-0x00000000778C6000-memory.dmpFilesize
8KB
-
memory/1256-146-0x00000000007F0000-0x0000000000EB1000-memory.dmpFilesize
6.8MB
-
memory/1256-144-0x00000000007F0000-0x0000000000EB1000-memory.dmpFilesize
6.8MB
-
memory/1524-148-0x000002A748B20000-0x000002A748B30000-memory.dmpFilesize
64KB
-
memory/1524-149-0x000002A748B80000-0x000002A748B90000-memory.dmpFilesize
64KB
-
memory/1524-150-0x000002A74B260000-0x000002A74B264000-memory.dmpFilesize
16KB
-
memory/2368-141-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmpFilesize
9.1MB
-
memory/2368-142-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmpFilesize
9.1MB
-
memory/2368-143-0x00007FF73D0D0000-0x00007FF73D9E9000-memory.dmpFilesize
9.1MB
-
memory/4716-136-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmpFilesize
9.1MB
-
memory/4716-135-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmpFilesize
9.1MB
-
memory/4716-137-0x00007FFEA21F0000-0x00007FFEA21F2000-memory.dmpFilesize
8KB
-
memory/4716-138-0x00007FF7CF7C0000-0x00007FF7D00D9000-memory.dmpFilesize
9.1MB