Malware Analysis Report

2024-12-08 02:48

Sample ID 240816-xwpy7a1hkg
Target 11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5
SHA256 11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5
Tags
floxif ramnit backdoor banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5

Threat Level: Known bad

The file 11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5 was found to be: Known bad.

Malicious Activity Summary

floxif ramnit backdoor banker discovery spyware stealer trojan upx worm

Ramnit

Floxif, Floodfix

Detects Floxif payload

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 19:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 19:12

Reported

2024-08-16 19:14

Platform

win7-20240705-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Ramnit

trojan spyware stealer worm banker ramnit

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\IEShims.dll C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File created C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AA92751-5C03-11EF-9CC2-6ED41388558A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AA94E61-5C03-11EF-9CC2-6ED41388558A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429997439" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1160 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1160 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1160 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2580 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2580 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2580 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2580 wrote to memory of 2572 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe

"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 5isohu.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2516-1-0x0000000000400000-0x000000000046C000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2516-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2516-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2516-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2516-10-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2516-8-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2516-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2516-11-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA94E61-5C03-11EF-9CC2-6ED41388558A}.dat

MD5 e529e0af8fcbc713a0c352e819286fa7
SHA1 65e9a76d5f297c94fe25c2650ff0131948a2c193
SHA256 7fae4995085aa978e1b7be50fd09cb2d2facffa1dc27e9f556bc3751504d4d68
SHA512 bfae626623e9a3dd9a25aab093f4ac7c425d2ceee4968eca846a04bb12fe485409e4ad11e668d022ac058281144efb2809e87ff69f0a0a76cef45135e3c56085

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7AA92751-5C03-11EF-9CC2-6ED41388558A}.dat

MD5 7c8f17abb456521559de2964e1c5e73f
SHA1 39749d5f1dea5c7805b6168d4732a03844d59038
SHA256 133781199c6ccd4cbe90f645e3e47ef975ab9e11ced3d6fd8c081ca3a9c3cf78
SHA512 d8b885d8e1f8d716ae753bdb20259b55e28f48c859eb12c7c1d6f3e8a7e255a4fc6bcbe6a31328c368b8196d8ce893d94f1177c8eddd82805c1cad673b13b1d0

\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5 e790eb97dc5d03afa86f08e5f3b5c3aa
SHA1 7b77136e2721d900a97fbc3f41900a1c574b2ed2
SHA256 860702accfeaa8111a2c98c9c43bc08a7b624f4e4c2c40891d0b72ca0561516c
SHA512 84f233173b3ebd9152363aec4a3cbcb39e571a3dae87a94eacca737e1a7c6ff9f342f7a6578abf341c279f4ad5cfcff26fcd0c60b84e6a384e6bc9cf680329ec

\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

MD5 e18dd556f4951e096b0ce0b0aa244f8e
SHA1 8b8b69acf933271630aa1f6e189c2f5800205bc1
SHA256 ec1a6c71f7ce1b47d8bc4ec958d884928fa973d1a4322fa4b695182781126862
SHA512 88e361cdbaa572163748b6d0daacd441e69af4bdd914433f2424d052278b63a0b25026fbfda4326668afb145026c78374abcff7eb0dee2acd565ae7427acf9c9

\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5 f088c1dad8903e6b3b1bc3de93c3fb4d
SHA1 5bbc1a5eb6940ba645d00d981b832e192845d89d
SHA256 2790ef63912d5badd82db6482c2b93452006bda40055905a7d4071f6defacfa8
SHA512 6710f999ef7cd6e68afe812e57ffee091222f7b90237c92ff157a89e3175b36e5e7966eb4bd1e8cb642d60d798e76c13bca2a22525db17f4746c93f5489b3d34

memory/2516-38-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2516-37-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE534.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE5E2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a984f763db41e5560865829982b1a0d4
SHA1 b71ce47ca2f2ee78f77804d279edd59e412294f2
SHA256 e470e7a20d34778e8ccbce088f4fc0874b11d14769e45569d4b725f70f952de6
SHA512 1bfbb0dcb3ad73e67cbf1fa430a351bf715887613bbb7d2542d7b3403e7ec666038826bd5666d9553a14098a6b026e00586013b9689bf3722017808dac671d42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb264b4e43120f7e387a191ce7dfa507
SHA1 6174ee812fb9baf2c4e0d146b606f924d1b5f907
SHA256 6c85b64aa380680ffbebbce334d6a066c627f2a0d7aace0644eea3be08c751ce
SHA512 606032675158e3f7399f919db0e59c98f8ad85cfafe3d9843e138360a2b068f311a9d1896e1d5bfce4db508f213cc56ac4c2bd596aef707d26c7755997bef989

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bd8911239201c71c9a0bc6f4321520b
SHA1 4bc7ceca2b1950955c42585a91281f4568301067
SHA256 23e9a0fa8bd7815f1a09b5bab47ab72571b81b2457291af743d4c6bfb8924ddb
SHA512 4fe164ed34556b2a075d893985258eb4d4c9e41c8dfdcfb494ff1ac1f37b00037a062cbef321acdcc7eed2fb1b5fc11c656814a3a154c2c99c144de62cfb94ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 267c4fd973b19ccdd72fef89d029131c
SHA1 8c4a4fa413919a186bf40845ea7b10ef190051e3
SHA256 bd8c546252c0062e31342fc06dd45e3930247f5eee2057eaa5f256095bf18b0b
SHA512 6f38fe8e0014094c22928b6971c6c0fbe1a7ea586d85dab6d065359f880b7eae444b26d62ab034df2ff4f6f6271055d09a859e9f2cfd917ca0c2e9f2e6b1ccbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d75c92925986cc3808e16c830b6d0aa
SHA1 5767a081a37f48d8eb8dcd3b5f9131ade367c7d4
SHA256 a556ea58b1844dd3d4e0cca180bad8858c4876b776149dc4943328674164907e
SHA512 081bc087115f2db5fc62d39d8cc213b59034173523395182fcdfae61698f5b34b406e89f10d7c02b76486ecb28450d632582f5fc3abff09cd04e9a2c30ba5c5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78053240e7ba77b8b7072cff204eac8b
SHA1 a347d51523b80b33c9aaec3bcd0243be42ed87d2
SHA256 7c245a0bdb59512a3ce673af657e116ed298935dd5c204f2a445d8dbea7b3d4e
SHA512 91f864f8cfa588b1dfa4c0dff15d257134c657fad84a4ce063f9c1a23c3ab55ac113d05693d123336db351de15a0c2a70de99b049d3b345e351d4fc4013c75e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d324d0ce22b782fd12f3e5f834ec108
SHA1 7f4d526f23c03e4503b5f748b73b7a8e5f521f73
SHA256 1d32d38264a0311ba292543f7a1bfbdb13249f8c5fb2f6bc4ddd9e921f85e4b8
SHA512 28ae203d47a8fa1e9e43fef900986a7d5778f0e2f6116a0c0ee1adbebdb57aefe10ec9f11a6c1d7733117392bbc882526c108113103c82d66432c49ef05e0567

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60827bed9e4e76c47fde8cc7a14d5da1
SHA1 be61b49dc134fe38000b135f6fde87e5c471c41e
SHA256 3a7aa30c4bebc9d5b4639e6c46ab0f0b772e94d4bd9c409e80a517728ff30be3
SHA512 7b1f9f75447521b6b8a9079125bfa2b5e18d929304ea53b169b1d52b198505ebf3077e2799f79b5f35163a05a794a7b83a7c82b8e612209be1ae4817e4011e58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96a4417b21b3eafb540626a25a9b0923
SHA1 18b6a2c6f3486584f36212241bfe2f3e3b7a4a48
SHA256 fb349260cd70f3f85ce2e61e701128d55ebcc163b64a32d0b76f136c64fba857
SHA512 834732257efb96d0b36d6310a825a655132b1754dd4332bbc31448f4a811eb8469f412408a6a3dfb47e35c4f6d81eaff87f13edb894d25e59bd6c6c38eaaabf4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3b75939403ea64943f53d8cd7d0cb8b
SHA1 da3895c0cfb96544e53176a018863a7b517b5185
SHA256 df71d0e365f5dfb0172d940d455a03d994fe868307907d60cbb51c987aeb5f8c
SHA512 dfb659675c4e757ca93c4f3dbf36b57c20f00406105ae56b70f1f0b92fa9c86734ebac0ebec6705213c09f0cf1713ba75ee150171eed0175e5302950cf28afab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2d9948770ad865d80434c1dd0f19163
SHA1 20e7816ce9b4eaec45564b9bc4c6c1ea6c489151
SHA256 e5d600953766da1cd89be387bef30b22d0f3161264ab610c81f21f1fa0bf69da
SHA512 7484767be24d1a9f3fc9a1d8105d045a80fafaade62b4f02ab62ca68a9daa14885ff87111eaab50a4fc3d1cca29192432a243c7c0a6be92962432ecdf202f19f

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 19:12

Reported

2024-08-16 19:15

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe

"C:\Users\Admin\AppData\Local\Temp\11abab2b13602043ed3005bfed6fd33e7e63791e16e4a6c77d90643667e893f5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3568-0-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3568-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3568-7-0x0000000002240000-0x0000000002241000-memory.dmp

memory/3568-9-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3568-8-0x0000000000400000-0x000000000046C000-memory.dmp