Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 07:11
Behavioral task
behavioral1
Sample
72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
Resource
win10v2004-20240802-en
General
-
Target
72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
-
Size
175KB
-
MD5
31ca93728d2aee577a466066b3d454a0
-
SHA1
e7164efeac4826f26b166016749360890c808235
-
SHA256
72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9
-
SHA512
aa3a3ae711c97cb2acfde9be827a9066d964597e97eb41b915b0e607a809dfb2e520c30314ba122f18656cfb0daf6321ced56ddba8c9f572c5eec9ed4a7212d9
-
SSDEEP
3072:OIs9QBv2HzimgyKN/4FA1Jlz0rplf2lQBV+UdE+rECWp7hKqUiF5G:OI1GzxgjN/4FGzyppBV+UdvrEFp7hKV
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x00090000000233ad-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000233ad-2.dat acprotect -
Loads dropped DLL 3 IoCs
pid Process 2060 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe 2772 WerFault.exe 4600 WerFault.exe -
resource yara_rule behavioral2/memory/2060-0-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/files/0x00090000000233ad-2.dat upx behavioral2/memory/2060-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2060-11-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2060-10-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4600 2060 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2060 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 3882⤵
- Loads dropped DLL
- Program crash
PID:4600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 20601⤵
- Loads dropped DLL
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab