Analysis
-
max time kernel
15s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
afefcb34383aaebfab116ad4137a70f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
afefcb34383aaebfab116ad4137a70f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
afefcb34383aaebfab116ad4137a70f0N.exe
-
Size
210KB
-
MD5
afefcb34383aaebfab116ad4137a70f0
-
SHA1
105f2470abc888a309a86f01fa362f0cb78404b2
-
SHA256
467535fd0d8024f1168aa12511ce066da706b018ce7c34ffdfce622d1b136acb
-
SHA512
5197b4a6c311f9ce600e16073af6d4e8a944b4b2ea4f80e74f6df038d4d983ad7b18451328bd79ec75bb355fd6a78657601f3b9c193f55fc5c9038fcc5c2d2ec
-
SSDEEP
6144:9F4yLs4WP++HuoDavXp4vQBV+UdvrEFp7hK8xq:9RQlP+rXpMQBjvrEH7Zxq
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000900000001227c-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000900000001227c-2.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2800 hotfix.exe -
Loads dropped DLL 7 IoCs
pid Process 2928 afefcb34383aaebfab116ad4137a70f0N.exe 2928 afefcb34383aaebfab116ad4137a70f0N.exe 2800 hotfix.exe 2800 hotfix.exe 2800 hotfix.exe 2800 hotfix.exe 2928 afefcb34383aaebfab116ad4137a70f0N.exe -
resource yara_rule behavioral1/files/0x000900000001227c-2.dat upx behavioral1/memory/2928-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2800-30-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2928-36-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2928-39-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2800-42-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2800-41-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2800-45-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2928-54-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\i: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\l: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\n: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\o: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\r: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\s: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\v: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\y: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\z: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\t: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\u: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\a: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\b: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\h: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\k: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\x: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\e: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\g: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\j: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\m: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\p: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\q: afefcb34383aaebfab116ad4137a70f0N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files\common files\system\symsrv.dll.000 afefcb34383aaebfab116ad4137a70f0N.exe File created C:\Program Files\Common Files\System\symsrv.dll afefcb34383aaebfab116ad4137a70f0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afefcb34383aaebfab116ad4137a70f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hotfix.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2928 afefcb34383aaebfab116ad4137a70f0N.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2928 afefcb34383aaebfab116ad4137a70f0N.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeRestorePrivilege 2800 hotfix.exe Token: SeDebugPrivilege 2800 hotfix.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30 PID 2928 wrote to memory of 2800 2928 afefcb34383aaebfab116ad4137a70f0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\afefcb34383aaebfab116ad4137a70f0N.exe"C:\Users\Admin\AppData\Local\Temp\afefcb34383aaebfab116ad4137a70f0N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\temp\ext42438\hotfix.exec:\temp\ext42438\hotfix.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183KB
MD50c74bb15aa1ca622eb12f86e5bb84900
SHA12711e96791b6da42690b89e76124ffa77678c4b7
SHA256120365010314b74b0bb425d1c86615802e48fcf1ceb6130dc9f0c34969dc260b
SHA512e0abb2ddbaa984f0b3b1a341a21639412d452891f0bd97f95b52cf497dd066c3b3fa29fdf1baed90082aa68d2aedd8c6483a3b63a2634b1e0369446966104a78
-
Filesize
17KB
MD51fd2b85cc8c265b4f4867e7e31387d52
SHA180b0921ea64022ebb5a3fee82f59f0e1deedd852
SHA256a9e5074c188d78ccb3e1d4ee28cc48d208357d6f25353c28571fa0a6eaaa474a
SHA5120664941ac3d88528d8c8254b25c29d5662fd8979f5c66604225fc9fb63d400c835f78230a8cd99ea28127b79837e2177475a8ee086737fec5206f9cd1d830300
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
106KB
MD5155fc68d5d845947cd0cba8a40eb2ea1
SHA11bc25d1dab8cabad382107744f3c6a59036c2b9d
SHA2560fe1846a38abb3bd9e1bec74a846cf5bd8a38f508cd629b5bea3c306fea9511c
SHA5124d9ba8fdf861c00bb701cf5de519d42bdc2bac27171b87f65a308a32bd4c8fe4f556fd659706c2eb5078d5b9952cc3815f76c9859c256275571c3865e2bad7ce