Analysis
-
max time kernel
113s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
afefcb34383aaebfab116ad4137a70f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
afefcb34383aaebfab116ad4137a70f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
afefcb34383aaebfab116ad4137a70f0N.exe
-
Size
210KB
-
MD5
afefcb34383aaebfab116ad4137a70f0
-
SHA1
105f2470abc888a309a86f01fa362f0cb78404b2
-
SHA256
467535fd0d8024f1168aa12511ce066da706b018ce7c34ffdfce622d1b136acb
-
SHA512
5197b4a6c311f9ce600e16073af6d4e8a944b4b2ea4f80e74f6df038d4d983ad7b18451328bd79ec75bb355fd6a78657601f3b9c193f55fc5c9038fcc5c2d2ec
-
SSDEEP
6144:9F4yLs4WP++HuoDavXp4vQBV+UdvrEFp7hK8xq:9RQlP+rXpMQBjvrEH7Zxq
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000022925-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0009000000022925-2.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 3084 hotfix.exe -
Loads dropped DLL 4 IoCs
pid Process 3632 afefcb34383aaebfab116ad4137a70f0N.exe 3084 hotfix.exe 3632 afefcb34383aaebfab116ad4137a70f0N.exe 3632 afefcb34383aaebfab116ad4137a70f0N.exe -
resource yara_rule behavioral2/memory/3632-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/files/0x0009000000022925-2.dat upx behavioral2/memory/3084-26-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3632-37-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3084-41-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3632-42-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3632-54-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3084-47-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\r: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\x: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\y: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\b: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\o: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\g: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\h: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\l: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\w: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\a: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\e: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\m: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\t: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\u: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\v: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\z: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\i: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\j: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\p: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\s: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\k: afefcb34383aaebfab116ad4137a70f0N.exe File opened (read-only) \??\n: afefcb34383aaebfab116ad4137a70f0N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll afefcb34383aaebfab116ad4137a70f0N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 afefcb34383aaebfab116ad4137a70f0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afefcb34383aaebfab116ad4137a70f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hotfix.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3632 afefcb34383aaebfab116ad4137a70f0N.exe 3632 afefcb34383aaebfab116ad4137a70f0N.exe 3084 hotfix.exe 3084 hotfix.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3632 afefcb34383aaebfab116ad4137a70f0N.exe Token: SeDebugPrivilege 3084 hotfix.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3632 wrote to memory of 3084 3632 afefcb34383aaebfab116ad4137a70f0N.exe 86 PID 3632 wrote to memory of 3084 3632 afefcb34383aaebfab116ad4137a70f0N.exe 86 PID 3632 wrote to memory of 3084 3632 afefcb34383aaebfab116ad4137a70f0N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\afefcb34383aaebfab116ad4137a70f0N.exe"C:\Users\Admin\AppData\Local\Temp\afefcb34383aaebfab116ad4137a70f0N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\temp\ext42438\hotfix.exec:\temp\ext42438\hotfix.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
183KB
MD5cfc1449cd14a8c1494cb1ca6571deaa7
SHA1a095841ab7e0c436f73bc61ff37175ef321bef24
SHA2562242c7f3ffe3e45023c467cbed17c1379ddff46b1779ce010bdb1cd2b1af0794
SHA512a242274f8b7f75128f65c40f08eb8fec21f2dc337807a088adca7f154988c52bbc3b3d9d0d4ca1256180b43f29f1bc4e80d537e680994d1b952bb3a5b769a399
-
Filesize
106KB
MD5155fc68d5d845947cd0cba8a40eb2ea1
SHA11bc25d1dab8cabad382107744f3c6a59036c2b9d
SHA2560fe1846a38abb3bd9e1bec74a846cf5bd8a38f508cd629b5bea3c306fea9511c
SHA5124d9ba8fdf861c00bb701cf5de519d42bdc2bac27171b87f65a308a32bd4c8fe4f556fd659706c2eb5078d5b9952cc3815f76c9859c256275571c3865e2bad7ce
-
Filesize
17KB
MD51fd2b85cc8c265b4f4867e7e31387d52
SHA180b0921ea64022ebb5a3fee82f59f0e1deedd852
SHA256a9e5074c188d78ccb3e1d4ee28cc48d208357d6f25353c28571fa0a6eaaa474a
SHA5120664941ac3d88528d8c8254b25c29d5662fd8979f5c66604225fc9fb63d400c835f78230a8cd99ea28127b79837e2177475a8ee086737fec5206f9cd1d830300