floxif | 5ef5eb5cd1f22d202ee122e198605c636f779ead5cfc5b2b184555de4ea404ac

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d36d6061527d3e3915d97f688e4e50N.exe
Size

1.2MB
MD5

a4d36d6061527d3e3915d97f688e4e50
SHA1

2e4911926d1372f899048e31363708886a5168e2
SHA256

5ef5eb5cd1f22d202ee122e198605c636f779ead5cfc5b2b184555de4ea404ac
SHA512

a8a28fcfdefa49ed629b11d5ac3fa627869d932feadc704452eee990d9b92119307e40d5a9cd64e41f7ca62b15cd038e815041ccaa6ec9f72f9b6a731243d10b
SSDEEP

24576:ELwruNHULnFUonAsTdPkMjwjLukDEIbAsM4SzXzzFlLlnNz8j:ESuN0LignTdPkhjikDH0/zBNz2

Score

10^/10

floxif backdoor bootkit discovery persistence trojan upx

Malware Config

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000900000002345e-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002345e-2.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk	E37CC5.EXE

Executes dropped EXE 1 IoCs

pid	Process
4456	E37CC5.EXE

Loads dropped DLL 18 IoCs

pid	Process
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002345e-2.dat	upx
behavioral2/memory/2704-3-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/2704-114-0x0000000010000000-0x0000000010032000-memory.dmp	upx

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2164	arp.exe
4168	arp.exe
2516	arp.exe
2628	arp.exe
2964	arp.exe
1648	arp.exe
996	arp.exe
3124	arp.exe
1432	arp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\9E3B3C\spec_a.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\1A2F16	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\C021A2\3c8c.EDT	E37CC5.EXE
File created	C:\Windows\SysWOW64\9E3B3C\eAPI.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\RegEx.fnr	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\shell.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\com.run	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\C021A2\3c8c.inf	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\9E3B3C\cnvpe.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\eAPI.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\spec.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\RegEx.fnr	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\shell.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\com.run	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\dp1.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\krnln.fnr	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\krnln.fnr	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\cnvpe.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\C021A2\3c8c.inf	E37CC5.EXE
File created	C:\Windows\SysWOW64\C021A2\3c8c.EDT	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\9E3B3C\dp1.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\9E3B3C\internet.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\C021A2\119e.inf	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C\internet.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\C021A2\119e.inf	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\C021A2\3c8c.edt	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\9E3B3C\spec.fne	a4d36d6061527d3e3915d97f688e4e50N.exe
File opened for modification	C:\Windows\SysWOW64\C021A2	E37CC5.EXE
File opened for modification	C:\Windows\SysWOW64\EE37CC	a4d36d6061527d3e3915d97f688e4e50N.exe
File created	C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT	a4d36d6061527d3e3915d97f688e4e50N.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	a4d36d6061527d3e3915d97f688e4e50N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d36d6061527d3e3915d97f688e4e50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	E37CC5.EXE

Modifies registry class 23 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1912	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2704	a4d36d6061527d3e3915d97f688e4e50N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	a4d36d6061527d3e3915d97f688e4e50N.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
2704	a4d36d6061527d3e3915d97f688e4e50N.exe
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
4456	E37CC5.EXE
1912	explorer.exe
1912	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2964	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	85
PID 2704 wrote to memory of 2964	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	85
PID 2704 wrote to memory of 2964	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	85
PID 2704 wrote to memory of 1648	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	87
PID 2704 wrote to memory of 1648	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	87
PID 2704 wrote to memory of 1648	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	87
PID 2704 wrote to memory of 1432	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	88
PID 2704 wrote to memory of 1432	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	88
PID 2704 wrote to memory of 1432	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	88
PID 2704 wrote to memory of 2628	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	89
PID 2704 wrote to memory of 2628	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	89
PID 2704 wrote to memory of 2628	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	89
PID 2704 wrote to memory of 2516	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	90
PID 2704 wrote to memory of 2516	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	90
PID 2704 wrote to memory of 2516	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	90
PID 2704 wrote to memory of 4168	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	91
PID 2704 wrote to memory of 4168	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	91
PID 2704 wrote to memory of 4168	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	91
PID 2704 wrote to memory of 2164	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	92
PID 2704 wrote to memory of 2164	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	92
PID 2704 wrote to memory of 2164	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	92
PID 2704 wrote to memory of 3124	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	93
PID 2704 wrote to memory of 3124	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	93
PID 2704 wrote to memory of 3124	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	93
PID 2704 wrote to memory of 996	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	94
PID 2704 wrote to memory of 996	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	94
PID 2704 wrote to memory of 996	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	94
PID 2704 wrote to memory of 1600	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	103
PID 2704 wrote to memory of 1600	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	103
PID 2704 wrote to memory of 1600	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	103
PID 2704 wrote to memory of 4456	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	106
PID 2704 wrote to memory of 4456	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	106
PID 2704 wrote to memory of 4456	2704	a4d36d6061527d3e3915d97f688e4e50N.exe	106

C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe
"C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 b6-06-57-28-c7-f2
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 4d-d4-80-e4-7b-1b
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1432
- C:\Windows\SysWOW64\arp.exe
  arp -s 49.12.169.208 87-c7-b8-cb-82-b2
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 66-81-91-be-8b-2a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 0a-48-da-bb-d7-c9
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 1a-bd-dc-9b-cc-51
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 fa-f0-82-32-c3-34
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3124
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 f4-80-ca-a7-bf-8a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:996
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\a4d36d6061527d3e3915d97f688e4e50N
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE
  C:\Windows\system32\9E3B3C\E37CC5.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
0609f5fe5fee88412b62aacafc43aedc

SHA1
e36ebd88d34a8b9af2808eb156f108ffc30d6a26

SHA256
b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6

SHA512
63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
56KB

MD5
fb7ea6f8ae09fa7621ee13f86c4f2935

SHA1
d93676c39ad0181dad70a662c41fc4c280cce848

SHA256
bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0

SHA512
e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
cf46bb62a1ba559ceb0fad7a5d642f28

SHA1
80b63dd193e84bfacbe535587dd38471b8ea2c24

SHA256
fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67

SHA512
1f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE

Filesize
111KB

MD5
92cb3a9a0807fa40b62fdad073ba712a

SHA1
34c22e6c87fc85242a6b84ad3c2cb32341dae43e

SHA256
381f079ba319041c818b55aa1e3a687bd562d3ded1c0bc02eb591c5c031103e8

SHA512
99556a91a6183e568f62a47a167dc45bbbb9a8bd561d83d1ccedeb9d7e260252813f204cc70ec099bd0f2649b28aa16e52f5e9f0b9d531d7ccd462c9521583af

Download Submit
C:\Windows\SysWOW64\9E3B3C\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
C:\Windows\SysWOW64\9E3B3C\eAPI.fne

Filesize
312KB

MD5
936745bac5c873ab1a91478d27894626

SHA1
9ed92393f95692339ce03a8f1498f80c727e0555

SHA256
edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630

SHA512
32d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4

Download Submit
memory/2704-114-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2704-26-0x0000000002410000-0x0000000002421000-memory.dmp

Filesize
68KB

Download
memory/2704-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2704-19-0x0000000002FD0000-0x00000000030ED000-memory.dmp

Filesize
1.1MB

Download
memory/2704-66-0x0000000002450000-0x0000000002464000-memory.dmp

Filesize
80KB

Download
memory/2704-12-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2704-32-0x0000000002430000-0x000000000244E000-memory.dmp

Filesize
120KB

Download
memory/2704-3-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2704-113-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4456-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-95-0x0000000002FC0000-0x0000000002FDE000-memory.dmp

Filesize
120KB

Download
memory/4456-108-0x0000000002FE0000-0x000000000303D000-memory.dmp

Filesize
372KB

Download
memory/4456-91-0x0000000002EA0000-0x0000000002EB1000-memory.dmp

Filesize
68KB

Download
memory/4456-85-0x0000000002220000-0x000000000226A000-memory.dmp

Filesize
296KB

Download
memory/4456-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads