Analysis
-
max time kernel
104s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
6639540418063f3317b273d87be5fa90N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6639540418063f3317b273d87be5fa90N.exe
Resource
win10v2004-20240802-en
General
-
Target
6639540418063f3317b273d87be5fa90N.exe
-
Size
204KB
-
MD5
6639540418063f3317b273d87be5fa90
-
SHA1
0b724a95359c4c88bfbeceb5222a940e26a87277
-
SHA256
4178834695d7a474e0f32c4460e6df08382b5db972bad15704453d0a3cd621e2
-
SHA512
bfda619f5bdf3183b3e5e87f07ac11927e43bedfc9a88f72fbee5f59fb88a327b5a50d7e723ced4c8aec1849bc81e22c2f6421dd2e3f8c3e3071961510485bb9
-
SSDEEP
6144:KVGdPRAFDiJuzdv4PSMBV+UdvrEFp7hK8xc:KV4PSBagdw6MBjvrEH7Zxc
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x00090000000234ce-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000234ce-2.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 3236 hotfix.exe -
Loads dropped DLL 4 IoCs
pid Process 1372 6639540418063f3317b273d87be5fa90N.exe 3236 hotfix.exe 1372 6639540418063f3317b273d87be5fa90N.exe 1372 6639540418063f3317b273d87be5fa90N.exe -
resource yara_rule behavioral2/files/0x00090000000234ce-2.dat upx behavioral2/memory/1372-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3236-26-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1372-38-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1372-40-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3236-41-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3236-46-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1372-56-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\e: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\g: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\k: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\p: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\s: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\t: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\a: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\y: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\l: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\n: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\r: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\w: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\h: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\x: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\o: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\j: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\m: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\q: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\u: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\v: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\z: 6639540418063f3317b273d87be5fa90N.exe File opened (read-only) \??\i: 6639540418063f3317b273d87be5fa90N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 6639540418063f3317b273d87be5fa90N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 6639540418063f3317b273d87be5fa90N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6639540418063f3317b273d87be5fa90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hotfix.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1372 6639540418063f3317b273d87be5fa90N.exe 1372 6639540418063f3317b273d87be5fa90N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1372 6639540418063f3317b273d87be5fa90N.exe Token: SeDebugPrivilege 3236 hotfix.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1372 wrote to memory of 3236 1372 6639540418063f3317b273d87be5fa90N.exe 86 PID 1372 wrote to memory of 3236 1372 6639540418063f3317b273d87be5fa90N.exe 86 PID 1372 wrote to memory of 3236 1372 6639540418063f3317b273d87be5fa90N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6639540418063f3317b273d87be5fa90N.exe"C:\Users\Admin\AppData\Local\Temp\6639540418063f3317b273d87be5fa90N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\temp\ext36642\hotfix.exec:\temp\ext36642\hotfix.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
105KB
MD5e1f9e0c91d35efd132f08aa53af8ed6c
SHA1c129eff999749dad700460e8f0d799d0c7863214
SHA2560451e69d256acf67745c3918180c0d376a1cbee803951cd57c48e289b5b6a4ae
SHA5126883b7336a5c6c67e43849fa009b6a6d5a95b8b2a3490e306255aa3b809f567953233912a04138c2844864d8348a321da4ee895d3349ed1fd8bbb091c06cf353
-
Filesize
182KB
MD57eefbd204e91845511210f64b6b2d229
SHA11ef06b7d684dbc890e6ffa545430295ed92f59a7
SHA2568592495243340af9d21e096eea78e1cfe9d1b00a81e3bcbc866754c866f40e25
SHA5126e821bf3c6241ac29027b0e433c49f4819cf00ecf5ebdc2325c37ba6f6e9b2a3f5143046bf32f36c3e386ffbbb36315c2ae7512d2f4bee796bac871be989059f
-
Filesize
17KB
MD5639176bb485ffed1372c6f6b290c00cd
SHA192a71862ce7564f92a1b00fd988191e4bbf13175
SHA2562a2f1a38a91fe63ca0023413fc0e2d81aeb86e7bb811a7be114dd2f995e2523e
SHA51283904cdf44b04454021f25b745d2b1292c69fe710d1457104ce3b011c0e025c34110015e39274227d3e177b59f8c7ece5b52d83b3ddaa2ed6b70963cfc5de043