Analysis Overview
SHA256
f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37
Threat Level: Known bad
The file f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37 was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
UPX packed file
Loads dropped DLL
Enumerates connected drives
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 06:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 06:35
Reported
2024-07-28 06:38
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe
"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"
C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe
"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe" -el -s2 "-dX:\Tools\Portable_Vgo2000" "-sp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.18.44:80 | www.aieov.com | tcp |
Files
memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
C:\Users\Admin\AppData\Local\Temp\A1D26E2\EC04A908C8.tmp
| MD5 | 59910de3291fa9293f97d4999cd856bf |
| SHA1 | acca7c6f46ec8be28972c5f67194a98ea61f526b |
| SHA256 | 87aaf8c93652ce12efd8f4fcb2c3297c12378ae8cc6da3a4f409298270a30c36 |
| SHA512 | 34d6352629ad8023b2c52cf2d6feb801ce03a5e4bb29ea9c92c82a8b6f5b03ac2b4bbac8e5606e72baf1facf24370388a01cab586435a9dbfae9be8a1be00b81 |
memory/2712-12-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp
| MD5 | 05c748697954cd5693ee4bfaa84d6cb2 |
| SHA1 | 150fd9ede55901828664d08e8970c188c16d88fb |
| SHA256 | ddcecfcad5453679d3f1ca4a71e89d9dce4c0f65ddd60b8ca19d4679c65af3f1 |
| SHA512 | b6cc5b8a3640228eae0582c8c8508a6831da34c16613f7318e5c33fba0656948aa4864fd3a6f4980469b25ca81a695202807fa0f983eb24e488cecd2d901beff |
\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp
| MD5 | afee8d425af7853bee2f9bd11ebe49f6 |
| SHA1 | 50982a65b43299cb845fd6b484e5d9911f3e959b |
| SHA256 | 63cb0e76635388028def396334b2541e13928b18c935a2a5f40aaa91b0cb3a90 |
| SHA512 | c67a07f90b3868eca5804f37db83128e7eacd8d845a451e27a76a1b558d03bfecf389feaa0a1d7f10d99586af3f1a35684a649426a4b3ba1d683372ae631dbe6 |
memory/2712-33-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2712-31-0x0000000000AD0000-0x0000000000B6C000-memory.dmp
memory/2248-36-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2248-34-0x0000000000AD0000-0x0000000000B6C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 06:35
Reported
2024-07-28 06:38
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3580 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe |
| PID 3580 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe |
| PID 3580 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe | C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe
"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"
C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe
"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe" -el -s2 "-dX:\Tools\Portable_Vgo2000" "-sp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 173.255.194.134:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.194.255.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 173.255.194.134:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/3580-3-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3580-5-0x00000000006E3000-0x00000000006E4000-memory.dmp
memory/3580-6-0x00000000006E0000-0x000000000077C000-memory.dmp
memory/3580-10-0x00000000006E0000-0x000000000077C000-memory.dmp
memory/5088-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/5088-17-0x0000000002930000-0x0000000002960000-memory.dmp
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp
| MD5 | f7d534dc69f60ad1b658a56841639e47 |
| SHA1 | 435685cf125391818c74c084fc003e3fd97627e2 |
| SHA256 | 150bd9bfe6822219e71b977887e8b41ad7269144520c44389a9fc07e335bf464 |
| SHA512 | c31ceb5b594b6c703b8c7c962e8a897f288c41231ffeac821d278effd8151126a96cde7e9a1f0016392b5f88e99771caf1bcb8c6f09ed06a298287344884a664 |
C:\Users\Admin\AppData\Local\Temp\A1D26E2\C3FC7B413E0.tmp
| MD5 | 59910de3291fa9293f97d4999cd856bf |
| SHA1 | acca7c6f46ec8be28972c5f67194a98ea61f526b |
| SHA256 | 87aaf8c93652ce12efd8f4fcb2c3297c12378ae8cc6da3a4f409298270a30c36 |
| SHA512 | 34d6352629ad8023b2c52cf2d6feb801ce03a5e4bb29ea9c92c82a8b6f5b03ac2b4bbac8e5606e72baf1facf24370388a01cab586435a9dbfae9be8a1be00b81 |
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp
| MD5 | 8b1cd0fc4ae9980f8298031f18f7e5dd |
| SHA1 | aea17fe91c6dc82154ca818db3bb3e749d9c48d5 |
| SHA256 | 7dc1f71aa016930c5f5328da7fa65f915699723193cefe66587868a44060a5b9 |
| SHA512 | 10d4e6ffd2ae66a1bf0718e4f74d4819608b143d6e4d305cbc7155440efe4c8225e82b6c9c6b3165300ffd54154ab665959a5954494c425c3119f3f2e2f1a3c9 |
memory/5088-31-0x0000000010000000-0x0000000010030000-memory.dmp
memory/5088-30-0x00000000006E0000-0x000000000077C000-memory.dmp
memory/3580-33-0x00000000006E0000-0x000000000077C000-memory.dmp
memory/3580-35-0x0000000010000000-0x0000000010030000-memory.dmp