Overview

overview

10

Static

static

3

909d8a6c4e...2N.dll

windows7-x64

10

909d8a6c4e...2N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    909d8a6c4e6bb4f0a0b6eefad4ba92870dff1083ce2e007a9addfe4c83bb5502N.dll

  • Size

    421KB

  • MD5

    d6038c84cba64f863069add156ca7190

  • SHA1

    037a14a9dbc4f8cd360bfe319e250a6804532fff

  • SHA256

    909d8a6c4e6bb4f0a0b6eefad4ba92870dff1083ce2e007a9addfe4c83bb5502

  • SHA512

    b6c2a98878359b6548fc46e0054bc91a0baaa86f0e1247e62525248883e6b30c8f656ed2ee3b4c210f3cf30dc5675003049d3c9cce686e1894eadc41931d6bf9

  • SSDEEP

    6144:5F/pG4LWq/IkJakr3xrbKgxXZ0UnrQ6O6agZCPUgidwvRC4Kmnc:5zPWJKakNrbKSmb69ZNPUnfnc

Score
10/10
floxiframnitbackdoorbankerdiscoverypersistenceprivilege_escalationspywarestealertrojanupxworm

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Detects Floxif payload 1 IoCs
    backdoor
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\909d8a6c4e6bb4f0a0b6eefad4ba92870dff1083ce2e007a9addfe4c83bb5502N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\909d8a6c4e6bb4f0a0b6eefad4ba92870dff1083ce2e007a9addfe4c83bb5502N.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2728
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp
    Filesize

    313KB

    MD5

    9cfd47e523ba3189e3bc49ee86d1ca14

    SHA1

    3c438d630672a04a9ba65f6b0e27de0baf22a914

    SHA256

    956aadce1887cd131656b7b1b484852c269a89e39d34c344ce5fb278bf6cd606

    SHA512

    b3475bce27bcbb4f11ecc1a8edc118f1ed8e5d71c75c82290e44255bab9a2a781871f2c6025d6e0adbffcc1e677af7f808af2507c769f7cb71bda7075f316c96

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c8c55e7640f7f0b9814405635b8819da

    SHA1

    52b7caa814d129de6e7ffb0f575f6f8e22fcd048

    SHA256

    b389a1ea10ca2f1ec7efdf9bf14b9aece02aadd0ba310e788c2152687298d8fe

    SHA512

    6ca73c7fee693f3c43bfb85cca06195f3ea958744cabd1b02bb3484360238eb03db248db80da29523567cbb3d4fef6c32024b7d61d03983b11b713fff6dcde5e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fec6a2e197a85af0dcdd585e1f73401b

    SHA1

    7961ee6296e4ddfa1f4f647312544523fbee2cbf

    SHA256

    745925e2971570142e4c00496c13f7c579ee923c7b3c260607bebbd8862e1360

    SHA512

    23f07ae54d738e28c68d57c72c3784f0c9e8198dca9ca1635b5ad1704d0d438eba1e381b62a65e26a123fc2a1e24f7a61d6e6718489e261561db9aeeaecc1c0d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a68167c2e5418338becf8fc474cebdd

    SHA1

    fff1f51531711ef4c34c203a937ea534b332ed52

    SHA256

    cc95fb284bcfedcf7a793b33f27c5dbacedcd9f44cf593334f48d8ce250fb86b

    SHA512

    baa2cd2a3473f41885d37da7f6f6d2bd3815308741e8955b28efc7db722d1fa0c0bd5001ecf068a0aa97e7a94de48a766e0e15cc74f6faf781db9ab6be103cff

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6f29bddb99e18d4c5b991d6938fc61e0

    SHA1

    990cd622df2441d7dac38f836a53b5dad386d688

    SHA256

    ecbd7a280840045554f3ea9b01fd4d4cf1ae71a268efd33fc46567fb6f090b4b

    SHA512

    4c1323dfea8880d8d6864f5577b495ab4418f27aec7879d2bdecf4c922563f370a6d1078f55b169b72ccc659463217c8f30c8b3ae0e5995695408c3ec19f602d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f136896fe67da6051452092d4b36f5c6

    SHA1

    44b680ba37578d6cdb7e027f81e953079d775eb7

    SHA256

    f8093ab78f40c2748babbf6f72750f49b059edfe51d8ae9a0c1b06b4bd21d35f

    SHA512

    6d5248051e0ee1417e44c71e4f7ce859e4d3c55eb1eb0d9b2ec168672006c01bfa148f8cc72f5cfae9fe772ee085bd1e02de99778d3c24d9700a8e9e8b3d9e6d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4d258e71d470f3b1c6691c211b9e4540

    SHA1

    9e06bd76a28b727e105736ee325205b49b76d423

    SHA256

    e048ff3d87137afeb4c6761b963c4fb68fe3795ea6ab254b056166dcb05cd4f9

    SHA512

    8020987fce402897283f348676e439f4fcbdf5c353111b6c28c584bca9bf1a42d8fdd9d8d32b93cb56a73925daa6ebe9eab91bb507a89b7c6933315847d7ac4a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    221f3c421adb9fa38b3bbd981a80016a

    SHA1

    4de07e80aa2b736571dbdadcc38140469ceca5a2

    SHA256

    eab870e8f533e3ebea0e5c433fbfa198c1cb85d03b4239d06defcbe6c5acfe07

    SHA512

    40d1765d00ea5e929e3bc145bd8e447f14d973f187443b14b96c52722f57f0c428ebf8b0e70557595374646ffd40d14366ec1393f6ce76377769a968844f0227

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f8fb713bd4ea2ccd74ba0682403e908a

    SHA1

    160eef4b3675658a5bde7f134aff53ef2d3260a9

    SHA256

    49d46b8921cddf43ba4eff13f02d88a92763f2a380baead75e0e50025898881c

    SHA512

    0851280a99f68e3a6305b2dba3d4b84fcffadb1963ddc7e5c2113a0d6ba85d7769c46f9682a1a00949de7b1140a7062f89145e94bdf539bda7d058108fe90380

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b644f1ea95410086e74eed3f643a95d2

    SHA1

    87699312bdd8a43f14fc79ecf5ac86880a3279e8

    SHA256

    65854c318d1ef28f3f002e518178020eedc415bbff1daf52794048ca6de793eb

    SHA512

    1145db1db1d675cfb8ecbd3729f1422492f59b5fde4605aae164746bdda5f370762b8389313a5f4581e5b5a3738f596786b936ae936c956e4d28982015127bcb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3d33503b627a147194c0332cef43221c

    SHA1

    7e443b065eee598ad46705778ff97e39a585ff73

    SHA256

    979a97e3c30cd7923fc99814f03f81510c4f6ab893f2d191220b979792ad52e2

    SHA512

    2349163464b4d06991c69c899184191f8ef80fb4c49ecee56265212d50bc8833e0d05c392b919a4bed6f7337ec7f333aebe98cce1c7c96dd41799de453556e66

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6f52eb39794e91fd92a086b57736dc88

    SHA1

    8ad5dfa4ff979036bb27c2081b791715462067f4

    SHA256

    deb19d7cc37e15cebea547205391fa9ba0000f1cba534cad6f7955c5cf0faeb7

    SHA512

    7bd932fb372867b715de9bb199b6bc2be0ecbeb01762c997c2dde7fc2f45a1ccbc67d4489c6cacb02ec87d64a07cc5c86a0657169f9177332e0e11f7e850f8ba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d1e37c862f80616bb53cfcb2b891a6f

    SHA1

    d5379ee4581472107e3e7339cc8b665fc163e06c

    SHA256

    1781169f77b357dc4037d301b730f20d761e0c56e98b31b64cb8beb7dce73c54

    SHA512

    ac3dabcf64efbcba2cd053c3ba776dd1b136d22febd59a920059c812fd633a2b295a19f28227a098a25e3130d5a704034354199ee3cef740f4365a8fd1436536

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CA919B1-A6DE-11EF-B40F-EAF82BEC9AF0}.dat
    Filesize

    3KB

    MD5

    39fbfee6d1d188b7a3db311574ac132d

    SHA1

    d54a167fb9eaca6b020bf9ecb56649b8681312ec

    SHA256

    ac016bc6da5d78116d79930c7c1af59d765aad038b3dfc2a63228e46acd2303b

    SHA512

    6b0fa0d715c7ae75e8fdbd126ba0cee681cdf555dd70c3477291622868b5b2d2b60f94d704da2f5c751801246c2f4d85f0612b8d65b40ef7709a799d97eeaa3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0CA940C1-A6DE-11EF-B40F-EAF82BEC9AF0}.dat
    Filesize

    5KB

    MD5

    5901ec32ea88c7807247e324144a0d8f

    SHA1

    6511e0e22177a0ef72c257038306c592df5ff387

    SHA256

    a5dd3e1b27298dc894c61a68e85482ee60152a2c9d97f86399064fd5619b980f

    SHA512

    f33c299a5409e295273a3aa89b4e643129d11460c344dd9fc32a40d939611326793f0fe5302f60bf26420b215faeddedeb73e946e277701d8ec88a5d362e2fe3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabBB28.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarBB4A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    177KB

    MD5

    5c65d0f7ed0cf850e4e9cc219233d133

    SHA1

    093b25fe1598dbce3c9cb3aaf7da89f9e6fa321c

    SHA256

    c25c2eaf1dd5165bf46a36d9420d7fe718cb866831b91f22f55561fed08c7f4a

    SHA512

    2d404c860e037bc7b7e400ff2369de91599f15780d82364f119b356706aa3140499816c00a2bf99ba443206788ab0da527b16c3057372f803c5c112c2eae5d74

    Download Submit

  • \Program Files (x86)\Internet Explorer\IEShims.dll.tmp
    Filesize

    313KB

    MD5

    04fd841bce89b95ca69b99b1e6fa20b1

    SHA1

    0d11bbfbd92860285649ef23367481534d2556cb

    SHA256

    eb46d2a59b861fac02640e50eb2242c0279243b406802d662c4cb25746d1fab0

    SHA512

    3f489c568a9d89facaa3fe0fc05ba40f6bf5e642458dac4f9e1245cd2e8d4474700f7ec1170b43844314338fb7776dc6bf72b619577ffaa65821ed6df993ccc8

    Download Submit

  • \Program Files (x86)\Internet Explorer\ieproxy.dll.tmp
    Filesize

    340KB

    MD5

    856d585826598071272a74cecddd1340

    SHA1

    38a80345aa7d367c02dc84b795eef42212070715

    SHA256

    f6b3e3c5a293c5d47b285dfedaa718f0f326fc524a06229a0bca7376ca06e909

    SHA512

    36e40cb093f945b6561a4493bdd436af35af3275fb05c65157cd0c7587b2aa485b5e2bcf5ee3ef73ce4a4c6656fa1fd3d73de0edaea80751d64557772693f1fa

    Download Submit

  • \Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • memory/2084-20-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-18-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2084-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-25-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2084-23-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2084-21-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-13-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2084-52-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2084-22-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2084-51-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2396-10-0x00000000001D0000-0x000000000022B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2396-11-0x00000000001D0000-0x000000000022B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2396-0-0x0000000036600000-0x000000003666D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2396-3-0x0000000036600000-0x000000003666D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2396-2-0x0000000036600000-0x000000003666D000-memory.dmp

    Filesize

    436KB

    Download