Analysis
-
max time kernel
90s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
f40a6510b3f8dd3a21464be0132f8090N.exe
Resource
win7-20240903-en
General
-
Target
f40a6510b3f8dd3a21464be0132f8090N.exe
-
Size
3.1MB
-
MD5
f40a6510b3f8dd3a21464be0132f8090
-
SHA1
4d3b4d00296c53e08c8504a89434e74b807191ef
-
SHA256
7eb237e18ea11289f5266015dee0556bb3842bb02027c19bfab1bb32e203192a
-
SHA512
c88eac496864996dfce4b50bdac14e6345fd26daa12e684178f00fedc9791118e4f545d06abe7a0f27740e82090e52987c75b5776c3fb456498ed90224ccd458
-
SSDEEP
49152:tf7OE8I6oJK0uzgRTvnFjStQyfvE0Z3R0nxiIq2dseYGfXD:IE8Ij3uzgFt7KtQRq2VXD
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0006000000017415-13.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0006000000017415-13.dat acprotect -
Executes dropped EXE 2 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exepid Process 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2972 f40a6510b3f8dd3a21464be0132f8090n.exe -
Loads dropped DLL 4 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exepid Process 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2972 f40a6510b3f8dd3a21464be0132f8090n.exe -
Processes:
resource yara_rule behavioral1/files/0x0006000000017415-13.dat upx behavioral1/memory/2732-15-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2732-23-0x0000000000470000-0x000000000048F000-memory.dmp upx behavioral1/memory/2972-28-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2732-32-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2972-35-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process File opened (read-only) \??\e: f40a6510b3f8dd3a21464be0132f8090n.exe -
Drops file in Program Files directory 1 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll f40a6510b3f8dd3a21464be0132f8090n.exe -
Drops file in Windows directory 2 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe f40a6510b3f8dd3a21464be0132f8090N.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe f40a6510b3f8dd3a21464be0132f8090n.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exepid Process 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exedescription pid Process Token: SeDebugPrivilege 2732 f40a6510b3f8dd3a21464be0132f8090n.exe Token: SeDebugPrivilege 2972 f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exepid Process 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 2972 f40a6510b3f8dd3a21464be0132f8090n.exe 2972 f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exedescription pid Process procid_target PID 3012 wrote to memory of 2732 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 30 PID 3012 wrote to memory of 2732 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 30 PID 3012 wrote to memory of 2732 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 30 PID 3012 wrote to memory of 2732 3012 f40a6510b3f8dd3a21464be0132f8090N.exe 30 PID 2732 wrote to memory of 2972 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 31 PID 2732 wrote to memory of 2972 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 31 PID 2732 wrote to memory of 2972 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 31 PID 2732 wrote to memory of 2972 2732 f40a6510b3f8dd3a21464be0132f8090n.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f40a6510b3f8dd3a21464be0132f8090N.exe"C:\Users\Admin\AppData\Local\Temp\f40a6510b3f8dd3a21464be0132f8090N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exec:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exec:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD597c3a84fbdbda15c953b8ec31d0b35da
SHA1e0e7c2ffa7c05c06349511a1147435c5215e02e9
SHA2560ce150732f511567362779a52f4f12160ae1dfad49ab3a620be49647b3af0771
SHA512ac8624e13d952ace856e08dcbe4a245093f151cabf395b5fdcf521ec350060de012fa4754e3f9e3b0ab0a971743e4e8c6909857c29d78be5734a7bb92fd319d4
-
Filesize
135KB
MD54a06019836eaa91dd3a90042ab9d0e60
SHA1392c7985f7007e4908f6ceefbe39ae014d5e57a1
SHA2565af76d57c9573c0e242c8897898280c4fe325d5dd557bf9a90e093d015154112
SHA51223151d58f6a9f1743af801352cbfa130f4ffcaea03637eaeef51f785f2ac1ea1dbf923734defa983f091bb69b13a869ff22b35dcfd82e5865a892678db6ece57
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
3.0MB
MD543c41ff496c9ebfaec5c9bfac304324e
SHA19cee50003c114869ffa5f5e24cd27afb3f5f3d2d
SHA2562cd0788a40dde4e8090d8e6ec286e7ffd2fec66a20aeab860c5c3aba9a98c87e
SHA512156f62c749b6a1488193812117eeeeb517d63b7b95788b73697aea9d4b43acd7c82d3d578d474b8f92ac9a9606c73efe8c8eb393c89c47a914ca70b0870c9b74