Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3N.dll
Resource
win10v2004-20241007-en
General
-
Target
3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3N.dll
-
Size
118KB
-
MD5
cfc50cb3aeeaac79c70e7d55df3ca540
-
SHA1
9e9316282d9a29fbadc97aea470341f250ebb467
-
SHA256
3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3
-
SHA512
a4affeca067ac414cbd5e7f6d78e1641f2129b87fb7c3390da428085a047bf7a8ad8f69ca445bcf57e474bde33d65ba56e7fc1e2332a4778040e8a6a18cf39c8
-
SSDEEP
3072:GMXfNR8+5y/TKk6x2lQBV+UdE+rECWp7hKk9buF:G2NR8+5XkcBV+UdvrEFp7hKk9aF
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023b88-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000e000000023b88-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 3400 rundll32.exe -
resource yara_rule behavioral2/files/0x000e000000023b88-1.dat upx behavioral2/memory/3400-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3400-6-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3400 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1868 wrote to memory of 3400 1868 rundll32.exe 83 PID 1868 wrote to memory of 3400 1868 rundll32.exe 83 PID 1868 wrote to memory of 3400 1868 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3355869a8898386268b337c0514b2b66d382a9f302e74f4a2d18bd6af6decad3N.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab