Analysis Overview
SHA256
44805dd2c1dc1ebf96fbc861237d40b3fe4b744793c2a753de7713ab33cc7095
Threat Level: Known bad
The file 2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 00:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 00:22
Reported
2024-08-18 00:24
Platform
win7-20240705-en
Max time kernel
144s
Max time network
134s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| File created | \??\c:\progra~1\common~1\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
Files
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2648-3-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\wireless.ico
| MD5 | 0d8c648b2ae8e91a56d5fd2729752b64 |
| SHA1 | 77e6e232e02c096ed77b124203f7d54add34c162 |
| SHA256 | c2490a6c037b049b5014a41a44ba29b84ccadf5f5561096cef58cd458dcc4e71 |
| SHA512 | 82a603fa336ab456dc6dbcd33b73bb1db5c47011b2f38133273317453b23801aa173ec3b7e8525d626db017be9e2c02ab77b8b6bb773f0a1afad5a37dd62fbb3 |
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 2b92ed6cd3ea3e553cad8e37108c32d6 |
| SHA1 | a4993336b04ba7cc081656d51a56440391b982a6 |
| SHA256 | 93d789afa9560aeae6933d540ff9ce3f1352ad03be72863cd28853e3896c0cf2 |
| SHA512 | 6067d7033342fc0f83c1b260d3b0e33b474e852e0a450b243654c22c8656556217fdb5f8156852bf7b057193347f4c517a77a2410759dd8e92ff1bf5d1363ea9 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll
| MD5 | c9e58d1d66271921c21366023b8ed94f |
| SHA1 | 5d7591ef49f0f1b6bbfa40ed6ec00c1e70deda61 |
| SHA256 | 841732bb7e629d67e99505722200645771b7cb61c266c15356f0babdadac40c8 |
| SHA512 | 21710a057931007bb92441445f2b99012b1ac2da873a4391b088e28fa8dcd8951474a257ccd50ae596ad57a16e1078808986b0b2290bd42943cc38e4d0e45f94 |
memory/3020-87-0x0000000000AF0000-0x0000000000B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
| MD5 | ac2e0fa78ac6bf392e719cd1437e11a3 |
| SHA1 | 26a2f5e097f614be11dbd1e7778896d61b56e481 |
| SHA256 | 5c475e5c8cfec69d87b4a9de9def87196d1b4ccb85b7d6883785d692ef5630a6 |
| SHA512 | bf70c3c29c889168371506ebd27c7d7f9711059acf2c8f7a3472f96d5ca3dbaede45cb46700b1d6bb0ae370d71bf181fa14e400e2fd12acac12bd1bcdf5e019b |
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll.tmp
| MD5 | 76a2ebe97bc6e9945fffd7e5e5c96ea8 |
| SHA1 | 8cd8b35d0a2f57356e3a9937e53bb6ef011923c7 |
| SHA256 | 9cade50890a7d1d8a7d83bd091181fd60ec6d9a8094cd869da1a5c5c5646f83d |
| SHA512 | 604dd0509fad3c0f0c7ba5d232d8e0f18ef60dde3070afe81c43aea74f3343e6ff59bfdf7485ef9f87f171c76545dc7481fd03749413c44b6421aeb916cf6f5f |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Clipboard\Clipboard.lmd
| MD5 | 35680673837110844c72bf6ed8eb6202 |
| SHA1 | 3c9c1276ed0bbfa48e478a55e06a5e5cf826f437 |
| SHA256 | ed696486a267df27c3d16e1c360ab0221f6dda9c76e70fce0ca4b74bdd22da6b |
| SHA512 | 2fb9b08381fdc9a8f2c6e6881ddd0ed455e4117e219fd42bcecdf210d6e4410791dc6c0d025d7fd231e658fdc04bb0967df7c501703ebbd7316684c231ec73a4 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\LuaCom\LuaCom.lmd
| MD5 | 971c53498e8a3a259e286bd9eb38c9cb |
| SHA1 | f441af38aba15e3f748c713085cfb3642f75cf3d |
| SHA256 | d792f81a83ed91996249b991837b12f1e748f7db183b2702eadf1fc22b09291e |
| SHA512 | a4ca728bd93c601e9262e5ff4bf82868dff23433d1f162cbfbbae5b2eeea5cafaf5322c1cfbfbd399ad76db0608323968b928ae6bfe04045429407cc4c79002e |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\SmtpT\SmtpT.lmd
| MD5 | eb5247a3bd8f16f1172a4c57d0dbefbc |
| SHA1 | ab503e3a628199b6cac38f8ada0cb05bbe0ca576 |
| SHA256 | 139852d6443219df46e416f8e01c56c8c27cacd295a7d88340d69dca9d5144a2 |
| SHA512 | 4c99269338f602547b1a26465e8026f4acce679947057acc1f633af510c2fac01d45bc299dc41e9a392c28241460c39b0f96c2fb800ddbc983690552733f61bd |
memory/3020-97-0x0000000005520000-0x0000000005556000-memory.dmp
memory/3020-101-0x0000000004960000-0x000000000497F000-memory.dmp
memory/3020-104-0x0000000004960000-0x000000000497F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmd
| MD5 | 0194f4b3ea555e5a2ec2c5aa38c3f47a |
| SHA1 | 5ca6ed374bfbea1a60dae6e5e5583561b10f9a09 |
| SHA256 | f1166c24279cd83a4bdf7bfe4906113b31db005608dcf688f62b53467807e65d |
| SHA512 | 0b0e15b92e61fa5b91cdd74a49ce8aa80f3ce29e2df4bacba51cd41191f9904291ab41ec3be33057c92e8f254716c914d2b28f8b0e8fabe60a32bae34e9bb709 |
memory/3020-106-0x00000000057E0000-0x00000000058C4000-memory.dmp
memory/3020-102-0x000000000497C000-0x000000000497E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1.jpg
| MD5 | baf82861ec59b7360e28373ec0ac0db1 |
| SHA1 | 13e5ca637317b4b5d808cbd5421a50886f537187 |
| SHA256 | 9dbb42ca1a30dd268e55f9ebcaedcfc1ae6ef05d8a1bc2d2fb746516255fa8a8 |
| SHA512 | a8d1a3a6ae542f07e3ad5b71214a814b7b119727e52019f570c39d9df7a39d9e3ef7c131f7ca6a79a87cb6d5f19409a619b12a5d4547054d73b3c9eb7be637c1 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\62.btn
| MD5 | 6dbe822220b78100f4dbb2baea10ab2e |
| SHA1 | 77322f9e0ed57194afbf2bab837ed6b918776b40 |
| SHA256 | ebc1555fec68efaf19130ea7058bcb10809358087f0b92c01cc2f92e9eed5623 |
| SHA512 | e80489b552b63d18d25178de7e9b87a623272e79e353726747764a2a4bfa820416c575b3bb1956cead5ae6cca27d35e9a7e73537e66d41067e3f124d0cd94eec |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\network_wireless.png
| MD5 | 64e6018e449e922c3282528ce6e5f43b |
| SHA1 | e366b8e8ccbabc69c588bdf9158b033b3c757c7b |
| SHA256 | 98572a66a400b63c02241ab5da2accb60e9084ef2ef85afab780566cb212a7ca |
| SHA512 | 8471d6d6e504651e1dde1768a178cb2c2309c83964d44551c1fa8245dc3dcf6bad60f41a68df78b34e1de3e1df45db485bcdef71abd2475e8e3ab37a17638662 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\64.btn
| MD5 | 7c5184059c0073fed8e687e5e33c41b1 |
| SHA1 | 444412703faab0846eae275eb6c7fb910a66b638 |
| SHA256 | 0c603c5c34d805247c3e0de7b916e87ae7e51a0b64450226068985c5e33a58e5 |
| SHA512 | dc3e4952d871ed565588bece0fab6fa0c11ae55a3612aa0fcc9b885fdbcf2545202813ec1ce5c51ab47a937a21c2eeb6e013d7d5f3cf29d9e3f63a65dfebf54d |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\61.btn
| MD5 | 484cc4f54d2c8577108b497490bf5a62 |
| SHA1 | 86867a6cfdb381a46f3bbe0ec3ae7b1efbaa6dfa |
| SHA256 | 05d668f1d5942d8c21399176659819783dd800218686fd328ad2c2a10d7604e0 |
| SHA512 | d9b159f8be5bc9b7fae42643720430e15d90898072e1a068ebc2614664461cc0adf997192a56b59423fad729df42336bfcc993df029ec429f00bca707553ce60 |
\??\c:\progra~1\common~1\system\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2648-115-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3020-116-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/3020-118-0x000000000497C000-0x000000000497E000-memory.dmp
memory/3020-119-0x0000000004960000-0x000000000497F000-memory.dmp
memory/2648-117-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3020-121-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/3020-120-0x0000000010000000-0x0000000010053000-memory.dmp
memory/2648-123-0x0000000076306000-0x0000000076307000-memory.dmp
memory/2648-126-0x0000000076300000-0x0000000076335000-memory.dmp
memory/2648-127-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3020-128-0x0000000010000000-0x0000000010053000-memory.dmp
memory/2648-131-0x0000000076300000-0x0000000076335000-memory.dmp
memory/2648-134-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2648-140-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2648-146-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2648-152-0x0000000010000000-0x0000000010030000-memory.dmp
memory/3020-155-0x0000000004960000-0x000000000497F000-memory.dmp
memory/3020-157-0x0000000010000000-0x0000000010053000-memory.dmp
memory/3020-165-0x0000000010000000-0x0000000010053000-memory.dmp
memory/3020-177-0x0000000010000000-0x0000000010053000-memory.dmp
memory/3020-185-0x0000000010000000-0x0000000010053000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 00:22
Reported
2024-08-18 00:24
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
| PID 2716 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
| PID 2716 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe | C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-08-18_63bf5d99c0482206c58f7ed1a4f03547_floxif_icedid.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.20.33.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 45.33.20.235:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2716-4-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\wireless.ico
| MD5 | 0d8c648b2ae8e91a56d5fd2729752b64 |
| SHA1 | 77e6e232e02c096ed77b124203f7d54add34c162 |
| SHA256 | c2490a6c037b049b5014a41a44ba29b84ccadf5f5561096cef58cd458dcc4e71 |
| SHA512 | 82a603fa336ab456dc6dbcd33b73bb1db5c47011b2f38133273317453b23801aa173ec3b7e8525d626db017be9e2c02ab77b8b6bb773f0a1afad5a37dd62fbb3 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
| MD5 | 2b92ed6cd3ea3e553cad8e37108c32d6 |
| SHA1 | a4993336b04ba7cc081656d51a56440391b982a6 |
| SHA256 | 93d789afa9560aeae6933d540ff9ce3f1352ad03be72863cd28853e3896c0cf2 |
| SHA512 | 6067d7033342fc0f83c1b260d3b0e33b474e852e0a450b243654c22c8656556217fdb5f8156852bf7b057193347f4c517a77a2410759dd8e92ff1bf5d1363ea9 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll
| MD5 | c9e58d1d66271921c21366023b8ed94f |
| SHA1 | 5d7591ef49f0f1b6bbfa40ed6ec00c1e70deda61 |
| SHA256 | 841732bb7e629d67e99505722200645771b7cb61c266c15356f0babdadac40c8 |
| SHA512 | 21710a057931007bb92441445f2b99012b1ac2da873a4391b088e28fa8dcd8951474a257ccd50ae596ad57a16e1078808986b0b2290bd42943cc38e4d0e45f94 |
memory/4884-84-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4884-88-0x00000000029B0000-0x0000000002A03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
| MD5 | ac2e0fa78ac6bf392e719cd1437e11a3 |
| SHA1 | 26a2f5e097f614be11dbd1e7778896d61b56e481 |
| SHA256 | 5c475e5c8cfec69d87b4a9de9def87196d1b4ccb85b7d6883785d692ef5630a6 |
| SHA512 | bf70c3c29c889168371506ebd27c7d7f9711059acf2c8f7a3472f96d5ca3dbaede45cb46700b1d6bb0ae370d71bf181fa14e400e2fd12acac12bd1bcdf5e019b |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll.tmp
| MD5 | c3fcf26e31c73f71d93c8c5c495d10d3 |
| SHA1 | 3bf5d507d49b0c29fad77d15087a0ac764a1cc9a |
| SHA256 | addebcada7f45f9574e392f3276a0d4a00426edba87d7cd21140e4ee320ee382 |
| SHA512 | e259c1bcc108b036dbcced650c55f374bcfc5044d7d52266b54491ef7c5e75f6ec27aaf35d91768202c602bf0aa9e2ef45da4c8ae3dcd9d102ed08607df865b5 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Clipboard\Clipboard.lmd
| MD5 | 35680673837110844c72bf6ed8eb6202 |
| SHA1 | 3c9c1276ed0bbfa48e478a55e06a5e5cf826f437 |
| SHA256 | ed696486a267df27c3d16e1c360ab0221f6dda9c76e70fce0ca4b74bdd22da6b |
| SHA512 | 2fb9b08381fdc9a8f2c6e6881ddd0ed455e4117e219fd42bcecdf210d6e4410791dc6c0d025d7fd231e658fdc04bb0967df7c501703ebbd7316684c231ec73a4 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\LuaCom\LuaCom.lmd
| MD5 | 971c53498e8a3a259e286bd9eb38c9cb |
| SHA1 | f441af38aba15e3f748c713085cfb3642f75cf3d |
| SHA256 | d792f81a83ed91996249b991837b12f1e748f7db183b2702eadf1fc22b09291e |
| SHA512 | a4ca728bd93c601e9262e5ff4bf82868dff23433d1f162cbfbbae5b2eeea5cafaf5322c1cfbfbd399ad76db0608323968b928ae6bfe04045429407cc4c79002e |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\SmtpT\SmtpT.lmd
| MD5 | eb5247a3bd8f16f1172a4c57d0dbefbc |
| SHA1 | ab503e3a628199b6cac38f8ada0cb05bbe0ca576 |
| SHA256 | 139852d6443219df46e416f8e01c56c8c27cacd295a7d88340d69dca9d5144a2 |
| SHA512 | 4c99269338f602547b1a26465e8026f4acce679947057acc1f633af510c2fac01d45bc299dc41e9a392c28241460c39b0f96c2fb800ddbc983690552733f61bd |
memory/4884-108-0x00000000046A0000-0x00000000046BF000-memory.dmp
memory/4884-114-0x0000000004770000-0x0000000004854000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmd
| MD5 | 0194f4b3ea555e5a2ec2c5aa38c3f47a |
| SHA1 | 5ca6ed374bfbea1a60dae6e5e5583561b10f9a09 |
| SHA256 | f1166c24279cd83a4bdf7bfe4906113b31db005608dcf688f62b53467807e65d |
| SHA512 | 0b0e15b92e61fa5b91cdd74a49ce8aa80f3ce29e2df4bacba51cd41191f9904291ab41ec3be33057c92e8f254716c914d2b28f8b0e8fabe60a32bae34e9bb709 |
memory/4884-111-0x00000000046A0000-0x00000000046BF000-memory.dmp
memory/4884-110-0x00000000046BC000-0x00000000046BE000-memory.dmp
memory/4884-103-0x0000000004660000-0x0000000004696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\1.jpg
| MD5 | baf82861ec59b7360e28373ec0ac0db1 |
| SHA1 | 13e5ca637317b4b5d808cbd5421a50886f537187 |
| SHA256 | 9dbb42ca1a30dd268e55f9ebcaedcfc1ae6ef05d8a1bc2d2fb746516255fa8a8 |
| SHA512 | a8d1a3a6ae542f07e3ad5b71214a814b7b119727e52019f570c39d9df7a39d9e3ef7c131f7ca6a79a87cb6d5f19409a619b12a5d4547054d73b3c9eb7be637c1 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\61.btn
| MD5 | 484cc4f54d2c8577108b497490bf5a62 |
| SHA1 | 86867a6cfdb381a46f3bbe0ec3ae7b1efbaa6dfa |
| SHA256 | 05d668f1d5942d8c21399176659819783dd800218686fd328ad2c2a10d7604e0 |
| SHA512 | d9b159f8be5bc9b7fae42643720430e15d90898072e1a068ebc2614664461cc0adf997192a56b59423fad729df42336bfcc993df029ec429f00bca707553ce60 |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\62.btn
| MD5 | 6dbe822220b78100f4dbb2baea10ab2e |
| SHA1 | 77322f9e0ed57194afbf2bab837ed6b918776b40 |
| SHA256 | ebc1555fec68efaf19130ea7058bcb10809358087f0b92c01cc2f92e9eed5623 |
| SHA512 | e80489b552b63d18d25178de7e9b87a623272e79e353726747764a2a4bfa820416c575b3bb1956cead5ae6cca27d35e9a7e73537e66d41067e3f124d0cd94eec |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\64.btn
| MD5 | 7c5184059c0073fed8e687e5e33c41b1 |
| SHA1 | 444412703faab0846eae275eb6c7fb910a66b638 |
| SHA256 | 0c603c5c34d805247c3e0de7b916e87ae7e51a0b64450226068985c5e33a58e5 |
| SHA512 | dc3e4952d871ed565588bece0fab6fa0c11ae55a3612aa0fcc9b885fdbcf2545202813ec1ce5c51ab47a937a21c2eeb6e013d7d5f3cf29d9e3f63a65dfebf54d |
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\network_wireless.png
| MD5 | 64e6018e449e922c3282528ce6e5f43b |
| SHA1 | e366b8e8ccbabc69c588bdf9158b033b3c757c7b |
| SHA256 | 98572a66a400b63c02241ab5da2accb60e9084ef2ef85afab780566cb212a7ca |
| SHA512 | 8471d6d6e504651e1dde1768a178cb2c2309c83964d44551c1fa8245dc3dcf6bad60f41a68df78b34e1de3e1df45db485bcdef71abd2475e8e3ab37a17638662 |
memory/2716-122-0x0000000076BE5000-0x0000000076BE6000-memory.dmp
memory/2716-123-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2716-125-0x0000000076BD0000-0x0000000076C33000-memory.dmp
memory/4884-124-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2716-129-0x0000000076BD0000-0x0000000076C33000-memory.dmp
memory/4884-128-0x00000000046A0000-0x00000000046BF000-memory.dmp
memory/2716-130-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4884-131-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4884-132-0x00000000029B0000-0x0000000002A03000-memory.dmp
memory/2716-135-0x0000000076BD0000-0x0000000076C33000-memory.dmp
memory/2716-134-0x0000000076BE5000-0x0000000076BE6000-memory.dmp
memory/2716-138-0x0000000076BD0000-0x0000000076C33000-memory.dmp
memory/2716-141-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2716-149-0x0000000076BD0000-0x0000000076C33000-memory.dmp
memory/2716-150-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2716-174-0x0000000010000000-0x0000000010030000-memory.dmp