Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 04:27
Behavioral task
behavioral1
Sample
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
Resource
win10v2004-20241007-en
General
-
Target
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
-
Size
4.2MB
-
MD5
eb88e6f8885317eec81bbdc0e0182337
-
SHA1
60c17948ec154ee6e0a7c2cbb0ea67a3897d93a9
-
SHA256
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6
-
SHA512
db95bb7580600d19ad4dafc88388d256434df5f2d2d59d3737641cc13033a0a52f4b5e5e546d67253e713f408cb7267ade0393bc0144f5b2c595383ce700db14
-
SSDEEP
98304:Pnzz9jK7mk9nrpao6EzIzGePewXbw5Dz99d3ZVUh2WM:bz9UmwP6+YGePPLa99d3/UoWM
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Executes dropped EXE 1 IoCs
Processes:
ezHelpClientManager.exepid process 2380 ezHelpClientManager.exe -
Loads dropped DLL 6 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exeezHelpClientManager.exepid process 2152 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ezHelpClientManager.exedescription ioc process File opened (read-only) \??\e: ezHelpClientManager.exe -
Processes:
resource yara_rule behavioral2/memory/2152-0-0x0000000000500000-0x0000000000534000-memory.dmp upx C:\Program Files\Common Files\System\symsrv.dll upx behavioral2/memory/2152-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2152-12-0x0000000000500000-0x0000000000534000-memory.dmp upx behavioral2/memory/2152-13-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/840-16-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/840-21-0x0000000000500000-0x0000000000534000-memory.dmp upx C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe upx behavioral2/memory/840-54-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2380-52-0x0000000000570000-0x000000000063A000-memory.dmp upx behavioral2/memory/840-53-0x0000000000500000-0x0000000000534000-memory.dmp upx behavioral2/memory/2380-56-0x0000000010000000-0x0000000010030000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\A1D26E2\A99E8D0348.tmp upx C:\Program Files (x86)\ezhelp\server\ezHelpDownloader.exe upx C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.tmp upx behavioral2/memory/2380-70-0x0000000000570000-0x000000000063A000-memory.dmp upx behavioral2/memory/2380-71-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2380-80-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2380-86-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2380-98-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 24 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exeezHelpClientManager.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription ioc process File created C:\Program Files (x86)\ezhelp\server\ezHelpServer.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\OpenSourceLicense.htm bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\NewWinFunc.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File opened for modification C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe ezHelpClientManager.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.tmp ezHelpClientManager.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 ezHelpClientManager.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\sas.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\chat.bin bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\driver.bin bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\screenhooks.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpServerLauncher.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files\Common Files\System\symsrv.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\version.ini bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteFServer.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\portaudio_x86.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteUtil.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File opened for modification C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.dat ezHelpClientManager.exe File created C:\Program Files (x86)\ezhelp\server\RFLib.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\ezHelpDownloader.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\RemoteK.txt bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\AltTab.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\Win10ScreenCapture.dll bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe File created C:\Program Files (x86)\ezhelp\server\SoundModule.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exeezHelpClientManager.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezHelpClientManager.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ezHelpClientManager.exepid process 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe 2380 ezHelpClientManager.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exeezHelpClientManager.exedescription pid process Token: SeDebugPrivilege 2152 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Token: SeDebugPrivilege 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe Token: SeDebugPrivilege 2380 ezHelpClientManager.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exebce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exedescription pid process target process PID 2152 wrote to memory of 840 2152 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 2152 wrote to memory of 840 2152 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 2152 wrote to memory of 840 2152 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe PID 840 wrote to memory of 2380 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe ezHelpClientManager.exe PID 840 wrote to memory of 2380 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe ezHelpClientManager.exe PID 840 wrote to memory of 2380 840 bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe ezHelpClientManager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe" elevation2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe"C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe" elevation3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
506KB
MD50d9e5b2a3abb1585435f9dc2ee2bf6af
SHA1587a599a5dcee6189dab16e5177fac02d923272c
SHA256f8b9ea81517ff23d66bf9805d46f008a4cd1866b9fe51fe46010562a8de0a5af
SHA51204e829f0e72cdfeb30f13e766aab15e945fe84b66e5303cb49d59aa48497567a08e9e7bcc85d4850f4d227a26de1c74a9ce5bbd61e72697b493d1917fcc414b4
-
Filesize
583KB
MD5234298374d876ec28be1c984e7668096
SHA11c1c931808e3364a7c2f37ad2fc4d26fcbbf37a9
SHA256a781928e46e4ee563bc356527e979c6a3e361618a8177d7dc6d4380a76e3a2df
SHA51209acefc14f8a7d9e9b11e1bd140ac976f0512a3e6a244a12cb1bafe1ec5bdcfd4795f5cbecfe2c9930e6e64fdf4fc1fcc336d359d8bcd4f6c498e7e3941fca5d
-
Filesize
187KB
MD5578937bcd239fea2f95d3f8763c1c57e
SHA16818a714cf9d6b5e31ba932ae15f8ea02b9d6766
SHA256b8f74decd695aa1df644afe597d11a66026020bf8aeb2605c558a9eba0a0a9ff
SHA51256316a067f4fb855bca619976bb6cdec7c3e4acc606e7701c1f7a3b1f7d5457fc0e4e82222b17cca4baf2fb5b51986bf34b56b2095451bada5ede5f9f83001c2
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
24B
MD5b148d0ea6d5fe727f17599ab0194b1c0
SHA1a1fc7595a89ce5e6086f37741b869d010de06e79
SHA2560096043864572e174e8877f6d427e2e9a97b639d03e5cba81bfbb7e707a6b8d2
SHA512591ad57386bec2c7d38fba99c8808a93c2349b9a1aa391f5993289f67d9eae069439153fdc9f69d204f0072592ff648e2844b1d310deefaa5c08622d14b435ee
-
Filesize
4.1MB
MD5970d77d2c07188a681f4838ea40be31d
SHA1014b7fa8a0a3baf57b19709f66e68d071e512884
SHA256296c1016277c865cd81e2c5e6c13d7fce19362b00ed04565bf1fe0f57e8aab7c
SHA512416534bc23a4056575bc48095634d10d1bd501a0077e09f161aa626779387e51b9b1ffc28c0b1cdd1f998c92b85652c0eec15951178d96ea99b876096e0cb911