Analysis Overview
SHA256
72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9
Threat Level: Known bad
The file 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N was found to be: Known bad.
Malicious Activity Summary
Ramnit
Floxif, Floodfix
Detects Floxif payload
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Enumerates connected drives
UPX packed file
Drops file in Program Files directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 07:11
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 07:11
Reported
2024-10-05 07:14
Platform
win7-20240903-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Floxif, Floodfix
Ramnit
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{194DBA91-82E9-11EF-A322-62CAC36041A9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1954DEB1-82E9-11EF-A322-62CAC36041A9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434274181" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2644-0-0x0000000000400000-0x0000000000454000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2644-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2644-6-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2644-7-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2644-9-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2644-10-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2644-11-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2644-8-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{194DBA91-82E9-11EF-A322-62CAC36041A9}.dat
| MD5 | fea3d2b8d5e40d557fa25b11a4d34822 |
| SHA1 | 128c00748b765c1fde0b54e4daa04f65e219b017 |
| SHA256 | ebee77fad8e6ac9993c6bf267db609df4c60c345c4baf89f48d0822a508a3e6e |
| SHA512 | 7fae415183aa79dc3faf2f593ce6f057b9e9fa59414d5643b7ff0337d052b031338fec2152e8ca654d532394f4308111485534abb3fd79e3af03a75b23434765 |
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp
| MD5 | 97d05edcd216905a9405608c4b537d49 |
| SHA1 | f7c00f1ea0ab55c64410bd92b5aadfdd522d0ce0 |
| SHA256 | e7374a054164d1aa4d2621cecda204ebeb291180968b5bf0efcf0fdb0e53116b |
| SHA512 | aa177f39269ee4f6c23bbfd56ffe02c5a2126643a390edff08e51eac6a647a8dcf07ed54aa4856f1fda72cc08cba8be31751639ca28b4f28ba2f7df7a15a3b92 |
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp
| MD5 | 4debd6a36034bddc7532757888107b59 |
| SHA1 | b2541ff8a8438dcbdf25c226b8009e51cbabcf5a |
| SHA256 | af19c2cd5b06d4879af68ed83a260668c1f1797e38a5d3a52459ac038e5d3ad0 |
| SHA512 | 1c5238c9ce10689a45eef397e227c5ccc37d67f648a5c880ce22aabaf0476c46735f929ebf17656ef8a6f157be2a0c058672ca976bf1c8b00655b72caa7369fb |
C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp
| MD5 | 97ac988586437d44bbc7a7ab93283fc2 |
| SHA1 | b4aa9f5e63640c57f4854a6e8d75ad502722df55 |
| SHA256 | 4df62caa648af369a218e47245fd7f2bbcb05a961e4b4ce927b46c6af198f1a9 |
| SHA512 | e24038f24cef4d5d068b7aa83eaa2fefac652475e7e90030a6140b6dc5dca07b7da4285ac4c995c993bb8c6d05c33e4e81beee19755a656e24e8a0df811c4452 |
memory/2644-37-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2644-36-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF589.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF9D0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a36fff700c593fc320db679ac125212 |
| SHA1 | cdd3e3b65007544e62b3304ec78c0910fa035faf |
| SHA256 | 4e33afb670e4d5fc01b8e699d67ce947bc6ade3c8582993844f1f6453290b424 |
| SHA512 | 8118adc780842c15909f9b267f1681608de1d77349406a0904f16366be0e3e9f0b0eadbd6f97e19137713e56d09ed7724f6bd3eb40d5523ca914a82a330370e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4de291e547e629ff04baeb2f2c5ac1d0 |
| SHA1 | 53b309638293ca0b6542ce2791ab4a6dfba231aa |
| SHA256 | f0a9d56c264e6f28f837766fa3e7c9473efa7b065258f7c0dc9cc7a5aea36374 |
| SHA512 | 0760f426e0efe9cd12e033f77a3dc7bf4343ba1f75250dc72ae39cbb8d8d369bac147859453fde98cd3e36da7b03d48233ccafbcc3651243042b8b4c9a473623 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f630f9a86ef83b500ffbfe3ea1faba8f |
| SHA1 | b22901aaadd40b768dd1f7326d0447eef10ec050 |
| SHA256 | bc2dc8cead8e27abe2b077e0be1e543cfcda47df4c2a00c1ec93c7bc9de85a21 |
| SHA512 | 7d0b873b3383211e48ce5780cc86af2be28b31d879d64084307c20a870b517c2ad9864169d61eae8350b78c80ed5f61c4e484a062e9750f57bce2234e969356d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7d65785152e1ffb42f8c8ee74c955ea |
| SHA1 | 18033a202f3d3c3a2b94cd1176093040bc0dfd42 |
| SHA256 | 0d7c6c8c45e4187763a74be913bab4c80567d5c28ab5e1193238cb7e3445a362 |
| SHA512 | cfe3f7466ca84bd692e18aac77abbb53549ebd10e7964130e4b780031a48fe18690e66b4834a146be7595fe8981eea1d9306b5d976bb982c76016dd2d22457a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4566f3eae7952a03dbbef794b8a2d5c7 |
| SHA1 | 371ecfdd6ef1a7271cd4e0c5e12290dc98f1e43f |
| SHA256 | 34e4823aa1d8c0a95708caf046af7254180d5ed26ca9955189ca043d0b5ab278 |
| SHA512 | b453703b649eca69792a1e0af6a236dec6e987b3dad30582cdd6d798c5fc8bbae3c6dad2a7ff5ecf2e3bb2b4bbad5cde7d5c458a94206446a56c43b1bc85b0d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5330873f230a6bb739b7250d9b6fe082 |
| SHA1 | 094f3f328c462817e1f4d08ad406ca0dc92783fb |
| SHA256 | 1c95c25296617aa994499774d60b62d8f65322e2cfb025af6d11b14cfaa6503d |
| SHA512 | e682e07559d14255e5420b093047a316ec401aa9525d41653d20bd53fb37de247303cb3176f44e6d00ad0ef239711e23a3381e24f4ba975cbd346260806950c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52980f0e9048ff47c0e4e4d61fbf6e81 |
| SHA1 | 910b5ba3c3c1bf0d6f1069bd2bd27c5aab5655ad |
| SHA256 | 45ca7b4d497836d56f3fd0bb959739d1e94b73245a78fb9156148bfc4d6ec122 |
| SHA512 | f25dac2225790255a48063315489387d1009f37891e2c172f43a0596403f14fd98914a65e8c74d4c2ddd07027c68fbf20975e124568ed32a180e900b72edc52e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c1bf51b5b3c02b82f4548b81f783430 |
| SHA1 | ffad88341edd76d1407b57a0c23dc70cd983bc07 |
| SHA256 | e300249c4deda83890dc8134234b2f290502bd0e2f483112b49010aa640b9d75 |
| SHA512 | f6f01ad57d27a0c34d89f85eb6d98c028008ab4dff1874bd0718aa0c6034a54e009db0e40e0c0dede0a01a9803ee595a7f3e1dfa95dbf35b7df1bfa80217ee1f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | def0d82dd48d4293b8ca88e44db18e67 |
| SHA1 | 3aedcf4f8213bf80476e502784af776dc2cd2bd3 |
| SHA256 | 63f5a3acd2fe24ce17b286043bfd4de20032f71f2d00f3062bf87c3e5fca9e75 |
| SHA512 | 672c0634ec1356990082b237e3f7fee9f0cb29fed991103959ad6444c12c419c57f53624bba24d3243fcdd56e5b994b9a61214ddf0d1c88909bbffe2dcc792c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31ca7839cc772fdb1bd41ab59249afcb |
| SHA1 | 9e9b3d4ea2cc2c3cd445a9521e9bd5b0d607bde8 |
| SHA256 | e54ef1104c1fdaf38b9063bc05b850583c3218eef4801b7ed4f70706b670581d |
| SHA512 | 9059aa95f12d18615f22f9a2c84a060da8609653c6a7fda2f35176cdffe3d31297a21dc11a14efb2f0b13605d090219cc0bacf1b213b1243df219f04e6a5669a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 255aab4671cfedb7dcad981bca9c6853 |
| SHA1 | 36d1c7b16db4a9b5b3b01e0ef203fea453583255 |
| SHA256 | 938e591909b3a2dcae709bdb7c9ebace78b0e3d565c60e879aa82b122f75eca2 |
| SHA512 | 8ff9c06ee907c3bdb9f8a94e0bd8f44dfd5cba858f4def3df6181123580730ba220b3823961481ba9595af5799df5d391fd47b73d73a21f548a30b6809476fcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f50dea66997edebaceb5767a2201cd4 |
| SHA1 | 72d1b6cf539de334c8c24bf1d583d8dc252a6751 |
| SHA256 | 05f17914f79ae04551f65ca1c8c1cd90edf5957372e5cade748e698cef5b4ad9 |
| SHA512 | a766a5e44b46aae62abd37847bf75579b1d50d4fc79df352c7c6ed4fcd0198e3e336ad8c52db7f248c354c34f26687c32a94c40c26f708dfd2a3de880f3882ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4d5e386695be807f061a7ba4060f184 |
| SHA1 | 75b535bd58c892e4ae808dcd5415b53e12600701 |
| SHA256 | 320d585d09f96bcc083d80b656717e121b0c5e4ce4fe642beedb7f986df7c9e0 |
| SHA512 | d8840e2e743ff99ebabc1513dd1850aa6f5fd49aab82773944b9be9cfd06bb0c9553d4118a8c8c5435b7ae7ab7f1610401292ed094c7044afaca65ecf8d229d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dedaf0aba7c71d1dd22574be20202b7b |
| SHA1 | 40138108b5c04f803fa0b54146148b3da4d35555 |
| SHA256 | 1bfc4ce541372d18455803867c46e60432974484e243fb5fd35a737d8265ad35 |
| SHA512 | 6cf45d8daf707a03433780a433192ffe40e098b9cb165fba6551989f5c83a09f8faf48c4bcdcd4f6a759c8eebef278071a9dcdc0f63005f471ce8f5a6b5bc933 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 07:11
Reported
2024-10-05 07:14
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe
"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 2060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 388
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2060-0-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/2060-3-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2060-7-0x0000000000620000-0x0000000000621000-memory.dmp
memory/2060-11-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2060-10-0x0000000000400000-0x0000000000454000-memory.dmp