Malware Analysis Report

2025-08-05 10:56

Sample ID 241005-h1c3vsscpm
Target 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N
SHA256 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9
Tags
upx floxif ramnit backdoor banker discovery persistence privilege_escalation spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9

Threat Level: Known bad

The file 72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N was found to be: Known bad.

Malicious Activity Summary

upx floxif ramnit backdoor banker discovery persistence privilege_escalation spyware stealer trojan worm

Ramnit

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 07:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 07:11

Reported

2024-10-05 07:14

Platform

win7-20240903-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Ramnit

trojan spyware stealer worm banker ramnit

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\IEShims.dll C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File created C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{194DBA91-82E9-11EF-A322-62CAC36041A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1954DEB1-82E9-11EF-A322-62CAC36041A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434274181" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2644 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 484 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 484 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 484 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 484 wrote to memory of 1912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 284 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe

"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 5isohu.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2644-0-0x0000000000400000-0x0000000000454000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2644-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2644-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2644-7-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2644-9-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2644-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2644-11-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2644-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{194DBA91-82E9-11EF-A322-62CAC36041A9}.dat

MD5 fea3d2b8d5e40d557fa25b11a4d34822
SHA1 128c00748b765c1fde0b54e4daa04f65e219b017
SHA256 ebee77fad8e6ac9993c6bf267db609df4c60c345c4baf89f48d0822a508a3e6e
SHA512 7fae415183aa79dc3faf2f593ce6f057b9e9fa59414d5643b7ff0337d052b031338fec2152e8ca654d532394f4308111485534abb3fd79e3af03a75b23434765

\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5 97d05edcd216905a9405608c4b537d49
SHA1 f7c00f1ea0ab55c64410bd92b5aadfdd522d0ce0
SHA256 e7374a054164d1aa4d2621cecda204ebeb291180968b5bf0efcf0fdb0e53116b
SHA512 aa177f39269ee4f6c23bbfd56ffe02c5a2126643a390edff08e51eac6a647a8dcf07ed54aa4856f1fda72cc08cba8be31751639ca28b4f28ba2f7df7a15a3b92

\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

MD5 4debd6a36034bddc7532757888107b59
SHA1 b2541ff8a8438dcbdf25c226b8009e51cbabcf5a
SHA256 af19c2cd5b06d4879af68ed83a260668c1f1797e38a5d3a52459ac038e5d3ad0
SHA512 1c5238c9ce10689a45eef397e227c5ccc37d67f648a5c880ce22aabaf0476c46735f929ebf17656ef8a6f157be2a0c058672ca976bf1c8b00655b72caa7369fb

C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5 97ac988586437d44bbc7a7ab93283fc2
SHA1 b4aa9f5e63640c57f4854a6e8d75ad502722df55
SHA256 4df62caa648af369a218e47245fd7f2bbcb05a961e4b4ce927b46c6af198f1a9
SHA512 e24038f24cef4d5d068b7aa83eaa2fefac652475e7e90030a6140b6dc5dca07b7da4285ac4c995c993bb8c6d05c33e4e81beee19755a656e24e8a0df811c4452

memory/2644-37-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2644-36-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF589.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF9D0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a36fff700c593fc320db679ac125212
SHA1 cdd3e3b65007544e62b3304ec78c0910fa035faf
SHA256 4e33afb670e4d5fc01b8e699d67ce947bc6ade3c8582993844f1f6453290b424
SHA512 8118adc780842c15909f9b267f1681608de1d77349406a0904f16366be0e3e9f0b0eadbd6f97e19137713e56d09ed7724f6bd3eb40d5523ca914a82a330370e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4de291e547e629ff04baeb2f2c5ac1d0
SHA1 53b309638293ca0b6542ce2791ab4a6dfba231aa
SHA256 f0a9d56c264e6f28f837766fa3e7c9473efa7b065258f7c0dc9cc7a5aea36374
SHA512 0760f426e0efe9cd12e033f77a3dc7bf4343ba1f75250dc72ae39cbb8d8d369bac147859453fde98cd3e36da7b03d48233ccafbcc3651243042b8b4c9a473623

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f630f9a86ef83b500ffbfe3ea1faba8f
SHA1 b22901aaadd40b768dd1f7326d0447eef10ec050
SHA256 bc2dc8cead8e27abe2b077e0be1e543cfcda47df4c2a00c1ec93c7bc9de85a21
SHA512 7d0b873b3383211e48ce5780cc86af2be28b31d879d64084307c20a870b517c2ad9864169d61eae8350b78c80ed5f61c4e484a062e9750f57bce2234e969356d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7d65785152e1ffb42f8c8ee74c955ea
SHA1 18033a202f3d3c3a2b94cd1176093040bc0dfd42
SHA256 0d7c6c8c45e4187763a74be913bab4c80567d5c28ab5e1193238cb7e3445a362
SHA512 cfe3f7466ca84bd692e18aac77abbb53549ebd10e7964130e4b780031a48fe18690e66b4834a146be7595fe8981eea1d9306b5d976bb982c76016dd2d22457a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4566f3eae7952a03dbbef794b8a2d5c7
SHA1 371ecfdd6ef1a7271cd4e0c5e12290dc98f1e43f
SHA256 34e4823aa1d8c0a95708caf046af7254180d5ed26ca9955189ca043d0b5ab278
SHA512 b453703b649eca69792a1e0af6a236dec6e987b3dad30582cdd6d798c5fc8bbae3c6dad2a7ff5ecf2e3bb2b4bbad5cde7d5c458a94206446a56c43b1bc85b0d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5330873f230a6bb739b7250d9b6fe082
SHA1 094f3f328c462817e1f4d08ad406ca0dc92783fb
SHA256 1c95c25296617aa994499774d60b62d8f65322e2cfb025af6d11b14cfaa6503d
SHA512 e682e07559d14255e5420b093047a316ec401aa9525d41653d20bd53fb37de247303cb3176f44e6d00ad0ef239711e23a3381e24f4ba975cbd346260806950c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52980f0e9048ff47c0e4e4d61fbf6e81
SHA1 910b5ba3c3c1bf0d6f1069bd2bd27c5aab5655ad
SHA256 45ca7b4d497836d56f3fd0bb959739d1e94b73245a78fb9156148bfc4d6ec122
SHA512 f25dac2225790255a48063315489387d1009f37891e2c172f43a0596403f14fd98914a65e8c74d4c2ddd07027c68fbf20975e124568ed32a180e900b72edc52e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c1bf51b5b3c02b82f4548b81f783430
SHA1 ffad88341edd76d1407b57a0c23dc70cd983bc07
SHA256 e300249c4deda83890dc8134234b2f290502bd0e2f483112b49010aa640b9d75
SHA512 f6f01ad57d27a0c34d89f85eb6d98c028008ab4dff1874bd0718aa0c6034a54e009db0e40e0c0dede0a01a9803ee595a7f3e1dfa95dbf35b7df1bfa80217ee1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 def0d82dd48d4293b8ca88e44db18e67
SHA1 3aedcf4f8213bf80476e502784af776dc2cd2bd3
SHA256 63f5a3acd2fe24ce17b286043bfd4de20032f71f2d00f3062bf87c3e5fca9e75
SHA512 672c0634ec1356990082b237e3f7fee9f0cb29fed991103959ad6444c12c419c57f53624bba24d3243fcdd56e5b994b9a61214ddf0d1c88909bbffe2dcc792c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31ca7839cc772fdb1bd41ab59249afcb
SHA1 9e9b3d4ea2cc2c3cd445a9521e9bd5b0d607bde8
SHA256 e54ef1104c1fdaf38b9063bc05b850583c3218eef4801b7ed4f70706b670581d
SHA512 9059aa95f12d18615f22f9a2c84a060da8609653c6a7fda2f35176cdffe3d31297a21dc11a14efb2f0b13605d090219cc0bacf1b213b1243df219f04e6a5669a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 255aab4671cfedb7dcad981bca9c6853
SHA1 36d1c7b16db4a9b5b3b01e0ef203fea453583255
SHA256 938e591909b3a2dcae709bdb7c9ebace78b0e3d565c60e879aa82b122f75eca2
SHA512 8ff9c06ee907c3bdb9f8a94e0bd8f44dfd5cba858f4def3df6181123580730ba220b3823961481ba9595af5799df5d391fd47b73d73a21f548a30b6809476fcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f50dea66997edebaceb5767a2201cd4
SHA1 72d1b6cf539de334c8c24bf1d583d8dc252a6751
SHA256 05f17914f79ae04551f65ca1c8c1cd90edf5957372e5cade748e698cef5b4ad9
SHA512 a766a5e44b46aae62abd37847bf75579b1d50d4fc79df352c7c6ed4fcd0198e3e336ad8c52db7f248c354c34f26687c32a94c40c26f708dfd2a3de880f3882ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4d5e386695be807f061a7ba4060f184
SHA1 75b535bd58c892e4ae808dcd5415b53e12600701
SHA256 320d585d09f96bcc083d80b656717e121b0c5e4ce4fe642beedb7f986df7c9e0
SHA512 d8840e2e743ff99ebabc1513dd1850aa6f5fd49aab82773944b9be9cfd06bb0c9553d4118a8c8c5435b7ae7ab7f1610401292ed094c7044afaca65ecf8d229d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dedaf0aba7c71d1dd22574be20202b7b
SHA1 40138108b5c04f803fa0b54146148b3da4d35555
SHA256 1bfc4ce541372d18455803867c46e60432974484e243fb5fd35a737d8265ad35
SHA512 6cf45d8daf707a03433780a433192ffe40e098b9cb165fba6551989f5c83a09f8faf48c4bcdcd4f6a759c8eebef278071a9dcdc0f63005f471ce8f5a6b5bc933

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 07:11

Reported

2024-10-05 07:14

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe

"C:\Users\Admin\AppData\Local\Temp\72db818c33a2d886e1ba5cf48c90a1b1ea66503c1e47485987027f4ade7793e9N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 388

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2060-0-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/2060-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2060-7-0x0000000000620000-0x0000000000621000-memory.dmp

memory/2060-11-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2060-10-0x0000000000400000-0x0000000000454000-memory.dmp