Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
6639540418063f3317b273d87be5fa90N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6639540418063f3317b273d87be5fa90N.exe
Resource
win10v2004-20240802-en
General
-
Target
6639540418063f3317b273d87be5fa90N.exe
-
Size
204KB
-
MD5
6639540418063f3317b273d87be5fa90
-
SHA1
0b724a95359c4c88bfbeceb5222a940e26a87277
-
SHA256
4178834695d7a474e0f32c4460e6df08382b5db972bad15704453d0a3cd621e2
-
SHA512
bfda619f5bdf3183b3e5e87f07ac11927e43bedfc9a88f72fbee5f59fb88a327b5a50d7e723ced4c8aec1849bc81e22c2f6421dd2e3f8c3e3071961510485bb9
-
SSDEEP
6144:KVGdPRAFDiJuzdv4PSMBV+UdvrEFp7hK8xc:KV4PSBagdw6MBjvrEH7Zxc
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012264-2.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b000000012264-2.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2728 hotfix.exe -
Loads dropped DLL 6 IoCs
pid Process 676 6639540418063f3317b273d87be5fa90N.exe 676 6639540418063f3317b273d87be5fa90N.exe 2728 hotfix.exe 2728 hotfix.exe 2728 hotfix.exe 676 6639540418063f3317b273d87be5fa90N.exe -
resource yara_rule behavioral1/files/0x000b000000012264-2.dat upx behavioral1/memory/676-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/676-37-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/676-49-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\j: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\n: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\w: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\z: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\g: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\r: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\s: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\o: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\x: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\b: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\h: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\k: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\m: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\p: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\q: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\t: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\u: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\a: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\i: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\l: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\v: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\y: 6639540418063f3317b273d87be5fa90N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 6639540418063f3317b273d87be5fa90N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 6639540418063f3317b273d87be5fa90N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6639540418063f3317b273d87be5fa90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hotfix.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 676 6639540418063f3317b273d87be5fa90N.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 676 6639540418063f3317b273d87be5fa90N.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe Token: SeRestorePrivilege 2728 hotfix.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30 PID 676 wrote to memory of 2728 676 6639540418063f3317b273d87be5fa90N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6639540418063f3317b273d87be5fa90N.exe"C:\Users\Admin\AppData\Local\Temp\6639540418063f3317b273d87be5fa90N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\temp\ext36642\hotfix.exec:\temp\ext36642\hotfix.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD527769ab09f7b16ea958b71aa772ffc58
SHA16809c31a9d194498d39365f32613e43c59766537
SHA256a746d38dc99564420fd176714d69016f820c413db947eae29e37be5c261f0d84
SHA512e7a702f099ba986cf2d11ebfc522f5401a17271871b8543f87fac07afbffa42d7593cccfb1fb52e4527829bd5e1370249360067d474e283ddd64b4b2e6d918c2
-
Filesize
17KB
MD5639176bb485ffed1372c6f6b290c00cd
SHA192a71862ce7564f92a1b00fd988191e4bbf13175
SHA2562a2f1a38a91fe63ca0023413fc0e2d81aeb86e7bb811a7be114dd2f995e2523e
SHA51283904cdf44b04454021f25b745d2b1292c69fe710d1457104ce3b011c0e025c34110015e39274227d3e177b59f8c7ece5b52d83b3ddaa2ed6b70963cfc5de043
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
105KB
MD5e1f9e0c91d35efd132f08aa53af8ed6c
SHA1c129eff999749dad700460e8f0d799d0c7863214
SHA2560451e69d256acf67745c3918180c0d376a1cbee803951cd57c48e289b5b6a4ae
SHA5126883b7336a5c6c67e43849fa009b6a6d5a95b8b2a3490e306255aa3b809f567953233912a04138c2844864d8348a321da4ee895d3349ed1fd8bbb091c06cf353