Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 04:27
Behavioral task
behavioral1
Sample
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
Resource
win10v2004-20241007-en
General
-
Target
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
-
Size
4.2MB
-
MD5
eb88e6f8885317eec81bbdc0e0182337
-
SHA1
60c17948ec154ee6e0a7c2cbb0ea67a3897d93a9
-
SHA256
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6
-
SHA512
db95bb7580600d19ad4dafc88388d256434df5f2d2d59d3737641cc13033a0a52f4b5e5e546d67253e713f408cb7267ade0393bc0144f5b2c595383ce700db14
-
SSDEEP
98304:Pnzz9jK7mk9nrpao6EzIzGePewXbw5Dz99d3ZVUh2WM:bz9UmwP6+YGePPLa99d3/UoWM
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll acprotect -
Loads dropped DLL 4 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exepid process 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 868 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 868 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 868 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Processes:
resource yara_rule behavioral1/memory/1724-0-0x0000000000BA0000-0x0000000000BD4000-memory.dmp upx behavioral1/memory/1724-4-0x0000000010000000-0x0000000010030000-memory.dmp upx \Program Files\Common Files\System\symsrv.dll upx behavioral1/memory/1724-12-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1724-11-0x0000000000BA0000-0x0000000000BD4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\A1D26E2\B97F7C46BC.tmp upx behavioral1/memory/868-15-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/868-17-0x0000000000BA0000-0x0000000000BD4000-memory.dmp upx C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe upx \Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.tmp upx behavioral1/memory/868-67-0x00000000032D0000-0x000000000339A000-memory.dmp upx behavioral1/memory/868-75-0x0000000000BA0000-0x0000000000BD4000-memory.dmp upx behavioral1/memory/868-74-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 24 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription ioc process File created C:\Program Files (x86)\ezhelp\server\Win10ScreenCapture.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\driver.bin bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\portaudio_x86.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.tmp bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RFLib.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\version.ini bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpDownloader.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\SoundModule.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File opened for modification \??\c:\program files (x86)\ezhelp\server\NewWinFunc.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpServer.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files\Common Files\System\symsrv.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\sas.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\chat.bin bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteK.txt bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteUtil.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpServerLauncher.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\AltTab.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\OpenSourceLicense.htm bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\screenhooks.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteFServer.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\NewWinFunc.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File opened for modification C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created \??\c:\program files (x86)\ezhelp\server\NewWinFunc.dll.tmp bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription pid process Token: SeDebugPrivilege 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Token: SeDebugPrivilege 868 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription pid process target process PID 1724 wrote to memory of 868 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 1724 wrote to memory of 868 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 1724 wrote to memory of 868 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 1724 wrote to memory of 868 1724 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe" elevation2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5f0c0860c39170e9523313faf5cd7d631
SHA1981ed36999fdbcccbf4c1fdb34b11c6674c06159
SHA256a14c6134849ddf594efbb3f226cfcc183b10049910a49d9f23164020f0dee9c0
SHA512b6d8e60be9b2d9cf6e12ce0926796bcaa2465da422915ce6e1068667e51259f29d8d3a8c04086c35274679342b5d8b303afac0b89b816b173b38653881be6af8
-
Filesize
506KB
MD50d9e5b2a3abb1585435f9dc2ee2bf6af
SHA1587a599a5dcee6189dab16e5177fac02d923272c
SHA256f8b9ea81517ff23d66bf9805d46f008a4cd1866b9fe51fe46010562a8de0a5af
SHA51204e829f0e72cdfeb30f13e766aab15e945fe84b66e5303cb49d59aa48497567a08e9e7bcc85d4850f4d227a26de1c74a9ce5bbd61e72697b493d1917fcc414b4
-
Filesize
4.1MB
MD5efc847cb89a2a90c40f8fc6cd0169598
SHA1484e5d3d3d25bf4e678241906f38098006fab3cc
SHA25690552f94c3f3a82f4d65e5fad659ac73ca23a82c15808055fb6180ec72a81e4a
SHA5123cdf641876e5514f96fe0e20f94e3b29f4daffa023ebe01b18c68e4133d937b8f71d9665880cdc42cdefa780c5d75d240453f56887389fc5452bba04793c0225
-
Filesize
154KB
MD56d84eb235614fa7c6c2392bc01aab90a
SHA10f8f08203c7e8b3b4307312f324fe979fbe1789b
SHA256f82cca1a635dfc62876f915b9859ae35872f8696da31e9e8e61c86dfb9db0054
SHA512d1d917c7f863fb1665f20a474cee7c3d715a6a5a3c86b1380fc4a6cc9b4b19f228d3650e46b76cd5925b41a438785abbc730133cbf5446a2a446ad343a5dce0b
-
Filesize
583KB
MD51b0a3ee6d601144768a68d563229b257
SHA1742165c6a775069ee4dbb96b345a6ce448d77e22
SHA2561814987db5d8d340001ed59b4451ff2afa039203495603d921e9d6246c0ea33c
SHA5120e364eebeedbb672fd5d6b0fd6ca7773e0735b8e28999d7f1afc15dbde13de43b411f2ed4512d30abe59ef2ac26470b4c57457588b7f4b154e4d6c2277e224ec
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab