Analysis
-
max time kernel
110s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
8309167a3c354e7c9fbc4da75e626190N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8309167a3c354e7c9fbc4da75e626190N.exe
Resource
win10v2004-20240802-en
General
-
Target
8309167a3c354e7c9fbc4da75e626190N.exe
-
Size
300KB
-
MD5
8309167a3c354e7c9fbc4da75e626190
-
SHA1
c6f5f071b5c3abb50d9a8e297f2aee762846f266
-
SHA256
9a7fac10fe0ee58e5b61da22d740a7387d1f9e5168946c05b79de56199698e1a
-
SHA512
eb956ab46b007746a90213725ed9211d2c6da58da96e82cf7e46d7be5f5af8133f27fb2ca6e8a06052627967bfc3f1515da8b1c2972b9ef27d05b45c1a5e8565
-
SSDEEP
6144:ASNn7p8F1g+oG1IZgaZ7pOOF2JsUBV+UdvrEFp7hKqkkkkkkkkkkkkkkkkkkkEkX:xn7p8F1g+oG1IZgaZ7pF2J9BjvrEH7tc
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000c00000001224f-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x000c00000001224f-1.dat acprotect -
Loads dropped DLL 2 IoCs
Processes:
8309167a3c354e7c9fbc4da75e626190N.exeWerFault.exepid Process 2244 8309167a3c354e7c9fbc4da75e626190N.exe 3008 WerFault.exe -
Processes:
resource yara_rule behavioral1/files/0x000c00000001224f-1.dat upx behavioral1/memory/2244-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2244-9-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
Processes:
8309167a3c354e7c9fbc4da75e626190N.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 8309167a3c354e7c9fbc4da75e626190N.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3008 2244 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8309167a3c354e7c9fbc4da75e626190N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8309167a3c354e7c9fbc4da75e626190N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8309167a3c354e7c9fbc4da75e626190N.exedescription pid Process Token: SeDebugPrivilege 2244 8309167a3c354e7c9fbc4da75e626190N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8309167a3c354e7c9fbc4da75e626190N.exedescription pid Process procid_target PID 2244 wrote to memory of 3008 2244 8309167a3c354e7c9fbc4da75e626190N.exe 31 PID 2244 wrote to memory of 3008 2244 8309167a3c354e7c9fbc4da75e626190N.exe 31 PID 2244 wrote to memory of 3008 2244 8309167a3c354e7c9fbc4da75e626190N.exe 31 PID 2244 wrote to memory of 3008 2244 8309167a3c354e7c9fbc4da75e626190N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8309167a3c354e7c9fbc4da75e626190N.exe"C:\Users\Admin\AppData\Local\Temp\8309167a3c354e7c9fbc4da75e626190N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2722⤵
- Loads dropped DLL
- Program crash
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab