Analysis Overview
SHA256
2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81
Threat Level: Known bad
The file 2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81N was found to be: Known bad.
Malicious Activity Summary
Detects Floxif payload
Floxif family
Event Triggered Execution: AppInit DLLs
ACProtect 1.3x - 1.4x DLL software
Network Service Discovery
UPX packed file
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 10:51
Signatures
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Floxif family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 10:51
Reported
2024-11-10 10:53
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81N.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 304
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.0.1 32-1a-fa-c5-6e-c5
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.255.255 28-e6-0c-d8-31-76
C:\Windows\SysWOW64\arp.exe
arp -s 136.243.69.123 94-79-37-fd-74-5f
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.22 9b-36-fc-28-f6-8d
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.251 dd-9b-83-87-97-a3
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.252 b0-b1-4b-c2-0e-65
C:\Windows\SysWOW64\arp.exe
arp -s 239.255.255.250 0a-3a-45-25-10-8e
C:\Windows\SysWOW64\arp.exe
arp -s 255.255.255.255 79-e2-f0-0f-a5-7f
Network
Files
memory/2724-0-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2192-1-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2192-2-0x0000000075782000-0x0000000075783000-memory.dmp
memory/2192-4-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2724-6-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2720-8-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2576-7-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2708-13-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2796-12-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2824-14-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2844-11-0x0000000010000000-0x0000000010033000-memory.dmp
memory/3012-10-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2568-9-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2576-16-0x0000000010000000-0x0000000010033000-memory.dmp
memory/3012-26-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2824-30-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2720-29-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2708-25-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2568-23-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2844-20-0x0000000010000000-0x0000000010033000-memory.dmp
memory/2796-19-0x0000000010000000-0x0000000010033000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 10:51
Reported
2024-11-10 10:53
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\arp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2645d9eda8e00105bc65dc4b0aa03b64a4b0838a2fd2404b03f41ce800522c81N.dll,#1
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 536 -ip 536
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.0.1 5a-70-45-c5-36-c2
C:\Windows\SysWOW64\arp.exe
arp -s 10.127.255.255 a3-12-78-d4-b1-07
C:\Windows\SysWOW64\arp.exe
arp -s 37.27.61.185 ba-73-f9-b7-24-01
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.22 a6-9c-a3-a1-8e-72
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.251 96-3c-8c-e2-d3-d5
C:\Windows\SysWOW64\arp.exe
arp -s 224.0.0.252 b8-84-8d-39-79-f6
C:\Windows\SysWOW64\arp.exe
arp -s 239.255.255.250 25-5f-08-68-f3-ff
C:\Windows\SysWOW64\arp.exe
arp -s 255.255.255.255 3b-7a-62-de-42-1e
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 728
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/536-0-0x0000000010000000-0x0000000010033000-memory.dmp
memory/536-2-0x0000000010000000-0x0000000010033000-memory.dmp