Analysis Overview
SHA256
c8e55a8562af00cbc28c55b00beaf6a9bcf8d0b2187044df97eaef3fe0638731
Threat Level: Known bad
The file bb0d1e8f3446f47e4cd59abfb08af930N.exe was found to be: Known bad.
Malicious Activity Summary
Detects Floxif payload
Floxif family
Event Triggered Execution: AppInit DLLs
Blocklisted process makes network request
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Enumerates connected drives
Network Service Discovery
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 02:31
Signatures
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Floxif family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 02:31
Reported
2024-08-16 02:33
Platform
win7-20240705-en
Max time kernel
117s
Max time network
84s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: AppInit DLLs
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#1
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.0.1 08-3f-3f-fb-f1-5d
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.255.255 a9-00-b7-59-21-bd
C:\Windows\SysWOW64\arp.exe
arp -s 136.243.76.173 90-5f-f7-3c-c6-16
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.22 79-de-5a-77-66-30
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.251 3c-0f-12-d7-e3-23
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.252 2d-f5-da-6d-e5-b8
C:\Windows\SysWOW64\arp.exe
arp -s 239.255.255.250 e4-97-9d-d5-ea-df
C:\Windows\SysWOW64\arp.exe
arp -s 255.255.255.255 a7-b3-63-bc-9a-be
C:\Windows\SysWOW64\arp.exe
arp -d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
Files
memory/1448-0-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-2-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-3-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-1-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2156-4-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2156-6-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2160-7-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2100-18-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2392-26-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1936-25-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2512-22-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2540-21-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2372-17-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2392-16-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1792-14-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2160-12-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2540-10-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1936-9-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2512-13-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2372-8-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2100-29-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-31-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-32-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2600-34-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2600-36-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-37-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-38-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-44-0x0000000010000000-0x0000000010033000-memory.dmp
memory/1448-46-0x0000000010000000-0x0000000010033000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 02:31
Reported
2024-08-16 02:33
Platform
win10v2004-20240802-en
Max time kernel
105s
Max time network
110s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0d1e8f3446f47e4cd59abfb08af930N.dll,#1
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4056 -ip 4056
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.0.1 aa-9a-69-f8-12-4f
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.255.255 94-b0-67-48-20-00
C:\Windows\SysWOW64\arp.exe
arp -s 49.12.169.207 2b-44-ff-25-87-9f
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.22 a5-78-f5-5b-c4-c2
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.251 20-93-36-45-d5-ee
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.252 4c-43-e3-49-91-fb
C:\Windows\SysWOW64\arp.exe
arp -s 239.255.255.250 54-2a-a8-e1-76-a4
C:\Windows\SysWOW64\arp.exe
arp -s 255.255.255.255 b1-13-29-fc-0b-3a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 708
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| GB | 88.221.135.33:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 33.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4056-0-0x0000000010000000-0x0000000010033000-memory.dmp
memory/4056-2-0x0000000010000000-0x0000000010033000-memory.dmp