6c7ec50485943ef850a67df20d7903522566f00e16506c1c03a772b9dc6bebd2

Analysis

max time kernel
111s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

remedy.exe
Size

3.5MB
MD5

163219e1c4f789b48114bc15e4fc598e
SHA1

e9cb9216bb0c52c8c77314c7a68381f46865dacc
SHA256

0bab70088222eb4e9ca0a4b40e6a5476575396af88be6796e856b2d640c32724
SHA512

176a80700127f07790586863827bda4da21439647c57ab8857d124b142f0eb9682ee57c1ea7d83c2372389fb5f35e068eb77385c0e9eac574c8363b6d2e3d8e6
SSDEEP

98304:8afLxoNrXcY9vY5xVUAMcj8drwf7BYnO2wGG8:VzxodXcY9vYrVUpcwdrwVBGX

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

remedy.exeIntelRapid.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	remedy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

remedy.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

remedy.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk remedy.exe
Executes dropped EXE 1 IoCs

Processes:

IntelRapid.exe

pid process

4032 IntelRapid.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	remedy.exe

pid	process
4032	IntelRapid.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral18/memory/4752-0-0x00007FF690290000-0x00007FF690BFF000-memory.dmp	themida
behavioral18/memory/4752-2-0x00007FF690290000-0x00007FF690BFF000-memory.dmp	themida
behavioral18/memory/4752-3-0x00007FF690290000-0x00007FF690BFF000-memory.dmp	themida
behavioral18/memory/4752-4-0x00007FF690290000-0x00007FF690BFF000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral18/memory/4032-12-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida
behavioral18/memory/4752-13-0x00007FF690290000-0x00007FF690BFF000-memory.dmp	themida
behavioral18/memory/4032-14-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida
behavioral18/memory/4032-16-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida
behavioral18/memory/4032-17-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida
behavioral18/memory/4032-18-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida
behavioral18/memory/4032-24-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

remedy.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	remedy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

remedy.exeIntelRapid.exe

pid process

4752 remedy.exe
4032 IntelRapid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

4032 IntelRapid.exe

pid	process
4752	remedy.exe
4032	IntelRapid.exe

pid	process
4032	IntelRapid.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

remedy.exe

description	pid	process	target process
PID 4752 wrote to memory of 4032	4752	remedy.exe	IntelRapid.exe
PID 4752 wrote to memory of 4032	4752	remedy.exe	IntelRapid.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\remedy.exe
"C:\Users\Admin\AppData\Local\Temp\remedy.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
  "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: AddClipboardFormatListener
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

Filesize
3.5MB

MD5
163219e1c4f789b48114bc15e4fc598e

SHA1
e9cb9216bb0c52c8c77314c7a68381f46865dacc

SHA256
0bab70088222eb4e9ca0a4b40e6a5476575396af88be6796e856b2d640c32724

SHA512
176a80700127f07790586863827bda4da21439647c57ab8857d124b142f0eb9682ee57c1ea7d83c2372389fb5f35e068eb77385c0e9eac574c8363b6d2e3d8e6

Download Submit
memory/4032-14-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-17-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-24-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-20-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4032-18-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-12-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-16-0x00007FF666EC0000-0x00007FF66782F000-memory.dmp

Filesize
9.4MB

Download
memory/4032-15-0x00007FFBDBA10000-0x00007FFBDBC05000-memory.dmp

Filesize
2.0MB

Download
memory/4752-0-0x00007FF690290000-0x00007FF690BFF000-memory.dmp

Filesize
9.4MB

Download
memory/4752-13-0x00007FF690290000-0x00007FF690BFF000-memory.dmp

Filesize
9.4MB

Download
memory/4752-2-0x00007FF690290000-0x00007FF690BFF000-memory.dmp

Filesize
9.4MB

Download
memory/4752-1-0x00007FFBDBAB0000-0x00007FFBDBAB2000-memory.dmp

Filesize
8KB

Download
memory/4752-4-0x00007FF690290000-0x00007FF690BFF000-memory.dmp

Filesize
9.4MB

Download
memory/4752-3-0x00007FF690290000-0x00007FF690BFF000-memory.dmp

Filesize
9.4MB

Download