Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 19:12

General

  • Target

    11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe

  • Size

    249KB

  • MD5

    45c26c120dc9cedf8886fe4af6b67c0e

  • SHA1

    2cd0d80dab24ee79b2cefde04972d49133c5db8d

  • SHA256

    11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5

  • SHA512

    bf80b445eb1b516e0cc725e2f3144c348db16a867d9d9d5018f9cbe7d74c093422d3d2ddeb5368670165f8e055b648c8d4e82005a3b5e52e845ce29f71b32da8

  • SSDEEP

    6144:NMhEILGFkzhr0dGj9ojBV+UdvrEFp7hK8x:UBcoaGj9ojBjvrEH7B

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe
    "C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2572
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bb264b4e43120f7e387a191ce7dfa507

    SHA1

    6174ee812fb9baf2c4e0d146b606f924d1b5f907

    SHA256

    6c85b64aa380680ffbebbce334d6a066c627f2a0d7aace0644eea3be08c751ce

    SHA512

    606032675158e3f7399f919db0e59c98f8ad85cfafe3d9843e138360a2b068f311a9d1896e1d5bfce4db508f213cc56ac4c2bd596aef707d26c7755997bef989

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0bd8911239201c71c9a0bc6f4321520b

    SHA1

    4bc7ceca2b1950955c42585a91281f4568301067

    SHA256

    23e9a0fa8bd7815f1a09b5bab47ab72571b81b2457291af743d4c6bfb8924ddb

    SHA512

    4fe164ed34556b2a075d893985258eb4d4c9e41c8dfdcfb494ff1ac1f37b00037a062cbef321acdcc7eed2fb1b5fc11c656814a3a154c2c99c144de62cfb94ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    267c4fd973b19ccdd72fef89d029131c

    SHA1

    8c4a4fa413919a186bf40845ea7b10ef190051e3

    SHA256

    bd8c546252c0062e31342fc06dd45e3930247f5eee2057eaa5f256095bf18b0b

    SHA512

    6f38fe8e0014094c22928b6971c6c0fbe1a7ea586d85dab6d065359f880b7eae444b26d62ab034df2ff4f6f6271055d09a859e9f2cfd917ca0c2e9f2e6b1ccbc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6d75c92925986cc3808e16c830b6d0aa

    SHA1

    5767a081a37f48d8eb8dcd3b5f9131ade367c7d4

    SHA256

    a556ea58b1844dd3d4e0cca180bad8858c4876b776149dc4943328674164907e

    SHA512

    081bc087115f2db5fc62d39d8cc213b59034173523395182fcdfae61698f5b34b406e89f10d7c02b76486ecb28450d632582f5fc3abff09cd04e9a2c30ba5c5c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78053240e7ba77b8b7072cff204eac8b

    SHA1

    a347d51523b80b33c9aaec3bcd0243be42ed87d2

    SHA256

    7c245a0bdb59512a3ce673af657e116ed298935dd5c204f2a445d8dbea7b3d4e

    SHA512

    91f864f8cfa588b1dfa4c0dff15d257134c657fad84a4ce063f9c1a23c3ab55ac113d05693d123336db351de15a0c2a70de99b049d3b345e351d4fc4013c75e8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d324d0ce22b782fd12f3e5f834ec108

    SHA1

    7f4d526f23c03e4503b5f748b73b7a8e5f521f73

    SHA256

    1d32d38264a0311ba292543f7a1bfbdb13249f8c5fb2f6bc4ddd9e921f85e4b8

    SHA512

    28ae203d47a8fa1e9e43fef900986a7d5778f0e2f6116a0c0ee1adbebdb57aefe10ec9f11a6c1d7733117392bbc882526c108113103c82d66432c49ef05e0567

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    60827bed9e4e76c47fde8cc7a14d5da1

    SHA1

    be61b49dc134fe38000b135f6fde87e5c471c41e

    SHA256

    3a7aa30c4bebc9d5b4639e6c46ab0f0b772e94d4bd9c409e80a517728ff30be3

    SHA512

    7b1f9f75447521b6b8a9079125bfa2b5e18d929304ea53b169b1d52b198505ebf3077e2799f79b5f35163a05a794a7b83a7c82b8e612209be1ae4817e4011e58

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    96a4417b21b3eafb540626a25a9b0923

    SHA1

    18b6a2c6f3486584f36212241bfe2f3e3b7a4a48

    SHA256

    fb349260cd70f3f85ce2e61e701128d55ebcc163b64a32d0b76f136c64fba857

    SHA512

    834732257efb96d0b36d6310a825a655132b1754dd4332bbc31448f4a811eb8469f412408a6a3dfb47e35c4f6d81eaff87f13edb894d25e59bd6c6c38eaaabf4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a3b75939403ea64943f53d8cd7d0cb8b

    SHA1

    da3895c0cfb96544e53176a018863a7b517b5185

    SHA256

    df71d0e365f5dfb0172d940d455a03d994fe868307907d60cbb51c987aeb5f8c

    SHA512

    dfb659675c4e757ca93c4f3dbf36b57c20f00406105ae56b70f1f0b92fa9c86734ebac0ebec6705213c09f0cf1713ba75ee150171eed0175e5302950cf28afab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b2d9948770ad865d80434c1dd0f19163

    SHA1

    20e7816ce9b4eaec45564b9bc4c6c1ea6c489151

    SHA256

    e5d600953766da1cd89be387bef30b22d0f3161264ab610c81f21f1fa0bf69da

    SHA512

    7484767be24d1a9f3fc9a1d8105d045a80fafaade62b4f02ab62ca68a9daa14885ff87111eaab50a4fc3d1cca29192432a243c7c0a6be92962432ecdf202f19f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a984f763db41e5560865829982b1a0d4

    SHA1

    b71ce47ca2f2ee78f77804d279edd59e412294f2

    SHA256

    e470e7a20d34778e8ccbce088f4fc0874b11d14769e45569d4b725f70f952de6

    SHA512

    1bfbb0dcb3ad73e67cbf1fa430a351bf715887613bbb7d2542d7b3403e7ec666038826bd5666d9553a14098a6b026e00586013b9689bf3722017808dac671d42

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA92751-5C03-11EF-9CC2-6ED41388558A}.dat

    Filesize

    5KB

    MD5

    7c8f17abb456521559de2964e1c5e73f

    SHA1

    39749d5f1dea5c7805b6168d4732a03844d59038

    SHA256

    133781199c6ccd4cbe90f645e3e47ef975ab9e11ced3d6fd8c081ca3a9c3cf78

    SHA512

    d8b885d8e1f8d716ae753bdb20259b55e28f48c859eb12c7c1d6f3e8a7e255a4fc6bcbe6a31328c368b8196d8ce893d94f1177c8eddd82805c1cad673b13b1d0

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA94E61-5C03-11EF-9CC2-6ED41388558A}.dat

    Filesize

    4KB

    MD5

    e529e0af8fcbc713a0c352e819286fa7

    SHA1

    65e9a76d5f297c94fe25c2650ff0131948a2c193

    SHA256

    7fae4995085aa978e1b7be50fd09cb2d2facffa1dc27e9f556bc3751504d4d68

    SHA512

    bfae626623e9a3dd9a25aab093f4ac7c425d2ceee4968eca846a04bb12fe485409e4ad11e668d022ac058281144efb2809e87ff69f0a0a76cef45135e3c56085

  • C:\Users\Admin\AppData\Local\Temp\CabE534.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE5E2.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Program Files (x86)\Internet Explorer\IEShims.dll.tmp

    Filesize

    313KB

    MD5

    e790eb97dc5d03afa86f08e5f3b5c3aa

    SHA1

    7b77136e2721d900a97fbc3f41900a1c574b2ed2

    SHA256

    860702accfeaa8111a2c98c9c43bc08a7b624f4e4c2c40891d0b72ca0561516c

    SHA512

    84f233173b3ebd9152363aec4a3cbcb39e571a3dae87a94eacca737e1a7c6ff9f342f7a6578abf341c279f4ad5cfcff26fcd0c60b84e6a384e6bc9cf680329ec

  • \Program Files (x86)\Internet Explorer\IEShims.dll.tmp

    Filesize

    313KB

    MD5

    f088c1dad8903e6b3b1bc3de93c3fb4d

    SHA1

    5bbc1a5eb6940ba645d00d981b832e192845d89d

    SHA256

    2790ef63912d5badd82db6482c2b93452006bda40055905a7d4071f6defacfa8

    SHA512

    6710f999ef7cd6e68afe812e57ffee091222f7b90237c92ff157a89e3175b36e5e7966eb4bd1e8cb642d60d798e76c13bca2a22525db17f4746c93f5489b3d34

  • \Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

    Filesize

    340KB

    MD5

    e18dd556f4951e096b0ce0b0aa244f8e

    SHA1

    8b8b69acf933271630aa1f6e189c2f5800205bc1

    SHA256

    ec1a6c71f7ce1b47d8bc4ec958d884928fa973d1a4322fa4b695182781126862

    SHA512

    88e361cdbaa572163748b6d0daacd441e69af4bdd914433f2424d052278b63a0b25026fbfda4326668afb145026c78374abcff7eb0dee2acd565ae7427acf9c9

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • memory/2516-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2516-37-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2516-38-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2516-11-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2516-1-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2516-8-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2516-10-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

  • memory/2516-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/2516-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

  • memory/2516-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB