Analysis Overview
SHA256
11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5
Threat Level: Known bad
The file 11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Floxif, Floodfix
Detects Floxif payload
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 19:12
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 19:12
Reported
2024-08-16 19:14
Platform
win7-20240705-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Floxif, Floodfix
Ramnit
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AA92751-5C03-11EF-9CC2-6ED41388558A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AA94E61-5C03-11EF-9CC2-6ED41388558A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429997439" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe
"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2516-1-0x0000000000400000-0x000000000046C000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2516-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2516-6-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2516-7-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2516-10-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2516-8-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2516-9-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2516-11-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA94E61-5C03-11EF-9CC2-6ED41388558A}.dat
| MD5 | e529e0af8fcbc713a0c352e819286fa7 |
| SHA1 | 65e9a76d5f297c94fe25c2650ff0131948a2c193 |
| SHA256 | 7fae4995085aa978e1b7be50fd09cb2d2facffa1dc27e9f556bc3751504d4d68 |
| SHA512 | bfae626623e9a3dd9a25aab093f4ac7c425d2ceee4968eca846a04bb12fe485409e4ad11e668d022ac058281144efb2809e87ff69f0a0a76cef45135e3c56085 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA92751-5C03-11EF-9CC2-6ED41388558A}.dat
| MD5 | 7c8f17abb456521559de2964e1c5e73f |
| SHA1 | 39749d5f1dea5c7805b6168d4732a03844d59038 |
| SHA256 | 133781199c6ccd4cbe90f645e3e47ef975ab9e11ced3d6fd8c081ca3a9c3cf78 |
| SHA512 | d8b885d8e1f8d716ae753bdb20259b55e28f48c859eb12c7c1d6f3e8a7e255a4fc6bcbe6a31328c368b8196d8ce893d94f1177c8eddd82805c1cad673b13b1d0 |
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp
| MD5 | e790eb97dc5d03afa86f08e5f3b5c3aa |
| SHA1 | 7b77136e2721d900a97fbc3f41900a1c574b2ed2 |
| SHA256 | 860702accfeaa8111a2c98c9c43bc08a7b624f4e4c2c40891d0b72ca0561516c |
| SHA512 | 84f233173b3ebd9152363aec4a3cbcb39e571a3dae87a94eacca737e1a7c6ff9f342f7a6578abf341c279f4ad5cfcff26fcd0c60b84e6a384e6bc9cf680329ec |
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp
| MD5 | e18dd556f4951e096b0ce0b0aa244f8e |
| SHA1 | 8b8b69acf933271630aa1f6e189c2f5800205bc1 |
| SHA256 | ec1a6c71f7ce1b47d8bc4ec958d884928fa973d1a4322fa4b695182781126862 |
| SHA512 | 88e361cdbaa572163748b6d0daacd441e69af4bdd914433f2424d052278b63a0b25026fbfda4326668afb145026c78374abcff7eb0dee2acd565ae7427acf9c9 |
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp
| MD5 | f088c1dad8903e6b3b1bc3de93c3fb4d |
| SHA1 | 5bbc1a5eb6940ba645d00d981b832e192845d89d |
| SHA256 | 2790ef63912d5badd82db6482c2b93452006bda40055905a7d4071f6defacfa8 |
| SHA512 | 6710f999ef7cd6e68afe812e57ffee091222f7b90237c92ff157a89e3175b36e5e7966eb4bd1e8cb642d60d798e76c13bca2a22525db17f4746c93f5489b3d34 |
memory/2516-38-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2516-37-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE534.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE5E2.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a984f763db41e5560865829982b1a0d4 |
| SHA1 | b71ce47ca2f2ee78f77804d279edd59e412294f2 |
| SHA256 | e470e7a20d34778e8ccbce088f4fc0874b11d14769e45569d4b725f70f952de6 |
| SHA512 | 1bfbb0dcb3ad73e67cbf1fa430a351bf715887613bbb7d2542d7b3403e7ec666038826bd5666d9553a14098a6b026e00586013b9689bf3722017808dac671d42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb264b4e43120f7e387a191ce7dfa507 |
| SHA1 | 6174ee812fb9baf2c4e0d146b606f924d1b5f907 |
| SHA256 | 6c85b64aa380680ffbebbce334d6a066c627f2a0d7aace0644eea3be08c751ce |
| SHA512 | 606032675158e3f7399f919db0e59c98f8ad85cfafe3d9843e138360a2b068f311a9d1896e1d5bfce4db508f213cc56ac4c2bd596aef707d26c7755997bef989 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0bd8911239201c71c9a0bc6f4321520b |
| SHA1 | 4bc7ceca2b1950955c42585a91281f4568301067 |
| SHA256 | 23e9a0fa8bd7815f1a09b5bab47ab72571b81b2457291af743d4c6bfb8924ddb |
| SHA512 | 4fe164ed34556b2a075d893985258eb4d4c9e41c8dfdcfb494ff1ac1f37b00037a062cbef321acdcc7eed2fb1b5fc11c656814a3a154c2c99c144de62cfb94ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 267c4fd973b19ccdd72fef89d029131c |
| SHA1 | 8c4a4fa413919a186bf40845ea7b10ef190051e3 |
| SHA256 | bd8c546252c0062e31342fc06dd45e3930247f5eee2057eaa5f256095bf18b0b |
| SHA512 | 6f38fe8e0014094c22928b6971c6c0fbe1a7ea586d85dab6d065359f880b7eae444b26d62ab034df2ff4f6f6271055d09a859e9f2cfd917ca0c2e9f2e6b1ccbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d75c92925986cc3808e16c830b6d0aa |
| SHA1 | 5767a081a37f48d8eb8dcd3b5f9131ade367c7d4 |
| SHA256 | a556ea58b1844dd3d4e0cca180bad8858c4876b776149dc4943328674164907e |
| SHA512 | 081bc087115f2db5fc62d39d8cc213b59034173523395182fcdfae61698f5b34b406e89f10d7c02b76486ecb28450d632582f5fc3abff09cd04e9a2c30ba5c5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78053240e7ba77b8b7072cff204eac8b |
| SHA1 | a347d51523b80b33c9aaec3bcd0243be42ed87d2 |
| SHA256 | 7c245a0bdb59512a3ce673af657e116ed298935dd5c204f2a445d8dbea7b3d4e |
| SHA512 | 91f864f8cfa588b1dfa4c0dff15d257134c657fad84a4ce063f9c1a23c3ab55ac113d05693d123336db351de15a0c2a70de99b049d3b345e351d4fc4013c75e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d324d0ce22b782fd12f3e5f834ec108 |
| SHA1 | 7f4d526f23c03e4503b5f748b73b7a8e5f521f73 |
| SHA256 | 1d32d38264a0311ba292543f7a1bfbdb13249f8c5fb2f6bc4ddd9e921f85e4b8 |
| SHA512 | 28ae203d47a8fa1e9e43fef900986a7d5778f0e2f6116a0c0ee1adbebdb57aefe10ec9f11a6c1d7733117392bbc882526c108113103c82d66432c49ef05e0567 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60827bed9e4e76c47fde8cc7a14d5da1 |
| SHA1 | be61b49dc134fe38000b135f6fde87e5c471c41e |
| SHA256 | 3a7aa30c4bebc9d5b4639e6c46ab0f0b772e94d4bd9c409e80a517728ff30be3 |
| SHA512 | 7b1f9f75447521b6b8a9079125bfa2b5e18d929304ea53b169b1d52b198505ebf3077e2799f79b5f35163a05a794a7b83a7c82b8e612209be1ae4817e4011e58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96a4417b21b3eafb540626a25a9b0923 |
| SHA1 | 18b6a2c6f3486584f36212241bfe2f3e3b7a4a48 |
| SHA256 | fb349260cd70f3f85ce2e61e701128d55ebcc163b64a32d0b76f136c64fba857 |
| SHA512 | 834732257efb96d0b36d6310a825a655132b1754dd4332bbc31448f4a811eb8469f412408a6a3dfb47e35c4f6d81eaff87f13edb894d25e59bd6c6c38eaaabf4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3b75939403ea64943f53d8cd7d0cb8b |
| SHA1 | da3895c0cfb96544e53176a018863a7b517b5185 |
| SHA256 | df71d0e365f5dfb0172d940d455a03d994fe868307907d60cbb51c987aeb5f8c |
| SHA512 | dfb659675c4e757ca93c4f3dbf36b57c20f00406105ae56b70f1f0b92fa9c86734ebac0ebec6705213c09f0cf1713ba75ee150171eed0175e5302950cf28afab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2d9948770ad865d80434c1dd0f19163 |
| SHA1 | 20e7816ce9b4eaec45564b9bc4c6c1ea6c489151 |
| SHA256 | e5d600953766da1cd89be387bef30b22d0f3161264ab610c81f21f1fa0bf69da |
| SHA512 | 7484767be24d1a9f3fc9a1d8105d045a80fafaade62b4f02ab62ca68a9daa14885ff87111eaab50a4fc3d1cca29192432a243c7c0a6be92962432ecdf202f19f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 19:12
Reported
2024-08-16 19:15
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe
"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3568-0-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/3568-3-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3568-7-0x0000000002240000-0x0000000002241000-memory.dmp
memory/3568-9-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3568-8-0x0000000000400000-0x000000000046C000-memory.dmp