Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 07:11

General

  • Target

    72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe

  • Size

    175KB

  • MD5

    31ca93728d2aee577a466066b3d454a0

  • SHA1

    e7164efeac4826f26b166016749360890c808235

  • SHA256

    72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9

  • SHA512

    aa3a3ae711c97cb2acfde9be827a9066d964597e97eb41b915b0e607a809dfb2e520c30314ba122f18656cfb0daf6321ced56ddba8c9f572c5eec9ed4a7212d9

  • SSDEEP

    3072:OIs9QBv2HzimgyKN/4FA1Jlz0rplf2lQBV+UdE+rECWp7hKqUiF5G:OI1GzxgjN/4FGzyppBV+UdvrEFp7hKV

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Detects Floxif payload 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
    "C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1912
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2716

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

          Filesize

          313KB

          MD5

          97ac988586437d44bbc7a7ab93283fc2

          SHA1

          b4aa9f5e63640c57f4854a6e8d75ad502722df55

          SHA256

          4df62caa648af369a218e47245fd7f2bbcb05a961e4b4ce927b46c6af198f1a9

          SHA512

          e24038f24cef4d5d068b7aa83eaa2fefac652475e7e90030a6140b6dc5dca07b7da4285ac4c995c993bb8c6d05c33e4e81beee19755a656e24e8a0df811c4452

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4de291e547e629ff04baeb2f2c5ac1d0

          SHA1

          53b309638293ca0b6542ce2791ab4a6dfba231aa

          SHA256

          f0a9d56c264e6f28f837766fa3e7c9473efa7b065258f7c0dc9cc7a5aea36374

          SHA512

          0760f426e0efe9cd12e033f77a3dc7bf4343ba1f75250dc72ae39cbb8d8d369bac147859453fde98cd3e36da7b03d48233ccafbcc3651243042b8b4c9a473623

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f630f9a86ef83b500ffbfe3ea1faba8f

          SHA1

          b22901aaadd40b768dd1f7326d0447eef10ec050

          SHA256

          bc2dc8cead8e27abe2b077e0be1e543cfcda47df4c2a00c1ec93c7bc9de85a21

          SHA512

          7d0b873b3383211e48ce5780cc86af2be28b31d879d64084307c20a870b517c2ad9864169d61eae8350b78c80ed5f61c4e484a062e9750f57bce2234e969356d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b7d65785152e1ffb42f8c8ee74c955ea

          SHA1

          18033a202f3d3c3a2b94cd1176093040bc0dfd42

          SHA256

          0d7c6c8c45e4187763a74be913bab4c80567d5c28ab5e1193238cb7e3445a362

          SHA512

          cfe3f7466ca84bd692e18aac77abbb53549ebd10e7964130e4b780031a48fe18690e66b4834a146be7595fe8981eea1d9306b5d976bb982c76016dd2d22457a7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4566f3eae7952a03dbbef794b8a2d5c7

          SHA1

          371ecfdd6ef1a7271cd4e0c5e12290dc98f1e43f

          SHA256

          34e4823aa1d8c0a95708caf046af7254180d5ed26ca9955189ca043d0b5ab278

          SHA512

          b453703b649eca69792a1e0af6a236dec6e987b3dad30582cdd6d798c5fc8bbae3c6dad2a7ff5ecf2e3bb2b4bbad5cde7d5c458a94206446a56c43b1bc85b0d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5330873f230a6bb739b7250d9b6fe082

          SHA1

          094f3f328c462817e1f4d08ad406ca0dc92783fb

          SHA256

          1c95c25296617aa994499774d60b62d8f65322e2cfb025af6d11b14cfaa6503d

          SHA512

          e682e07559d14255e5420b093047a316ec401aa9525d41653d20bd53fb37de247303cb3176f44e6d00ad0ef239711e23a3381e24f4ba975cbd346260806950c8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          52980f0e9048ff47c0e4e4d61fbf6e81

          SHA1

          910b5ba3c3c1bf0d6f1069bd2bd27c5aab5655ad

          SHA256

          45ca7b4d497836d56f3fd0bb959739d1e94b73245a78fb9156148bfc4d6ec122

          SHA512

          f25dac2225790255a48063315489387d1009f37891e2c172f43a0596403f14fd98914a65e8c74d4c2ddd07027c68fbf20975e124568ed32a180e900b72edc52e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5c1bf51b5b3c02b82f4548b81f783430

          SHA1

          ffad88341edd76d1407b57a0c23dc70cd983bc07

          SHA256

          e300249c4deda83890dc8134234b2f290502bd0e2f483112b49010aa640b9d75

          SHA512

          f6f01ad57d27a0c34d89f85eb6d98c028008ab4dff1874bd0718aa0c6034a54e009db0e40e0c0dede0a01a9803ee595a7f3e1dfa95dbf35b7df1bfa80217ee1f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          def0d82dd48d4293b8ca88e44db18e67

          SHA1

          3aedcf4f8213bf80476e502784af776dc2cd2bd3

          SHA256

          63f5a3acd2fe24ce17b286043bfd4de20032f71f2d00f3062bf87c3e5fca9e75

          SHA512

          672c0634ec1356990082b237e3f7fee9f0cb29fed991103959ad6444c12c419c57f53624bba24d3243fcdd56e5b994b9a61214ddf0d1c88909bbffe2dcc792c1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          31ca7839cc772fdb1bd41ab59249afcb

          SHA1

          9e9b3d4ea2cc2c3cd445a9521e9bd5b0d607bde8

          SHA256

          e54ef1104c1fdaf38b9063bc05b850583c3218eef4801b7ed4f70706b670581d

          SHA512

          9059aa95f12d18615f22f9a2c84a060da8609653c6a7fda2f35176cdffe3d31297a21dc11a14efb2f0b13605d090219cc0bacf1b213b1243df219f04e6a5669a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          255aab4671cfedb7dcad981bca9c6853

          SHA1

          36d1c7b16db4a9b5b3b01e0ef203fea453583255

          SHA256

          938e591909b3a2dcae709bdb7c9ebace78b0e3d565c60e879aa82b122f75eca2

          SHA512

          8ff9c06ee907c3bdb9f8a94e0bd8f44dfd5cba858f4def3df6181123580730ba220b3823961481ba9595af5799df5d391fd47b73d73a21f548a30b6809476fcb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1a36fff700c593fc320db679ac125212

          SHA1

          cdd3e3b65007544e62b3304ec78c0910fa035faf

          SHA256

          4e33afb670e4d5fc01b8e699d67ce947bc6ade3c8582993844f1f6453290b424

          SHA512

          8118adc780842c15909f9b267f1681608de1d77349406a0904f16366be0e3e9f0b0eadbd6f97e19137713e56d09ed7724f6bd3eb40d5523ca914a82a330370e7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6f50dea66997edebaceb5767a2201cd4

          SHA1

          72d1b6cf539de334c8c24bf1d583d8dc252a6751

          SHA256

          05f17914f79ae04551f65ca1c8c1cd90edf5957372e5cade748e698cef5b4ad9

          SHA512

          a766a5e44b46aae62abd37847bf75579b1d50d4fc79df352c7c6ed4fcd0198e3e336ad8c52db7f248c354c34f26687c32a94c40c26f708dfd2a3de880f3882ed

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c4d5e386695be807f061a7ba4060f184

          SHA1

          75b535bd58c892e4ae808dcd5415b53e12600701

          SHA256

          320d585d09f96bcc083d80b656717e121b0c5e4ce4fe642beedb7f986df7c9e0

          SHA512

          d8840e2e743ff99ebabc1513dd1850aa6f5fd49aab82773944b9be9cfd06bb0c9553d4118a8c8c5435b7ae7ab7f1610401292ed094c7044afaca65ecf8d229d8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          dedaf0aba7c71d1dd22574be20202b7b

          SHA1

          40138108b5c04f803fa0b54146148b3da4d35555

          SHA256

          1bfc4ce541372d18455803867c46e60432974484e243fb5fd35a737d8265ad35

          SHA512

          6cf45d8daf707a03433780a433192ffe40e098b9cb165fba6551989f5c83a09f8faf48c4bcdcd4f6a759c8eebef278071a9dcdc0f63005f471ce8f5a6b5bc933

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{194DBA91-82E9-11EF-A322-62CAC36041A9}.dat

          Filesize

          5KB

          MD5

          fea3d2b8d5e40d557fa25b11a4d34822

          SHA1

          128c00748b765c1fde0b54e4daa04f65e219b017

          SHA256

          ebee77fad8e6ac9993c6bf267db609df4c60c345c4baf89f48d0822a508a3e6e

          SHA512

          7fae415183aa79dc3faf2f593ce6f057b9e9fa59414d5643b7ff0337d052b031338fec2152e8ca654d532394f4308111485534abb3fd79e3af03a75b23434765

        • C:\Users\Admin\AppData\Local\Temp\CabF589.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarF9D0.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files (x86)\Internet Explorer\IEShims.dll.tmp

          Filesize

          313KB

          MD5

          97d05edcd216905a9405608c4b537d49

          SHA1

          f7c00f1ea0ab55c64410bd92b5aadfdd522d0ce0

          SHA256

          e7374a054164d1aa4d2621cecda204ebeb291180968b5bf0efcf0fdb0e53116b

          SHA512

          aa177f39269ee4f6c23bbfd56ffe02c5a2126643a390edff08e51eac6a647a8dcf07ed54aa4856f1fda72cc08cba8be31751639ca28b4f28ba2f7df7a15a3b92

        • \Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

          Filesize

          340KB

          MD5

          4debd6a36034bddc7532757888107b59

          SHA1

          b2541ff8a8438dcbdf25c226b8009e51cbabcf5a

          SHA256

          af19c2cd5b06d4879af68ed83a260668c1f1797e38a5d3a52459ac038e5d3ad0

          SHA512

          1c5238c9ce10689a45eef397e227c5ccc37d67f648a5c880ce22aabaf0476c46735f929ebf17656ef8a6f157be2a0c058672ca976bf1c8b00655b72caa7369fb

        • \Program Files\Common Files\System\symsrv.dll

          Filesize

          67KB

          MD5

          7574cf2c64f35161ab1292e2f532aabf

          SHA1

          14ba3fa927a06224dfe587014299e834def4644f

          SHA256

          de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

          SHA512

          4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

        • memory/2644-11-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/2644-36-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/2644-37-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB

        • memory/2644-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

        • memory/2644-0-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/2644-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

        • memory/2644-9-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/2644-7-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/2644-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

        • memory/2644-4-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB