floxif | 807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Size

3.7MB
MD5

11f6f0550436ad955c7c2b4f41a94896
SHA1

5443a7d9add5d0530621f2dbae5b27bdcf23a565
SHA256

807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1
SHA512

0ac800c1e460a01f6326c18d508e2db30338e5c0bdd0b2a11eaba81e592e4c13e8f9035a1b1b2c82c6bbe1231a4a67bcec7377d1e1c358b29ddb7e802a25d7f7
SSDEEP

98304:35MQvY/NFRjQUEaUJhtH/Ll3AzrIdHM3AUDOE:J0dULh/Ll3grIdHM3AUDOE

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000d000000023b8f-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WINTRUST.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000d000000023b8f-1.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Loads dropped DLL 12 IoCs

pid	Process
4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SspiCli.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\MSASN1.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\CoreUIComponents.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ntmarta.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\CRYPT32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\wintypes.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\shcore.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\textinputframework.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ole32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\winmm.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ws2help.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\TextShaping.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\win32u.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\WINTRUST.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\Windows\SysWOW64\CoreMessaging.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b8f-1.dat	upx
behavioral2/memory/4944-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4944-42-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3128-74-0x0000000001BD0000-0x0000000001C00000-memory.dmp	upx
behavioral2/memory/3936-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4944-85-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3936-108-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3128-110-0x0000000001BD0000-0x0000000001C00000-memory.dmp	upx
behavioral2/memory/3936-115-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4944-119-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3936-128-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4944-135-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3936-136-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4944-146-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3936-147-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\symsrv.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
File opened for modification	\??\c:\program files\common files\system\symsrv.dll.000	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeDebugPrivilege	3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeDebugPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeDebugPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeLoadDriverPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeCreateGlobalPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: 33	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeSecurityPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeTakeOwnershipPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeManageVolumePrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeBackupPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeCreatePagefilePrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeShutdownPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeRestorePrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: 33	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
Token: SeIncBasePriorityPrivilege	3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3128	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3936	4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	83
PID 4944 wrote to memory of 3936	4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	83
PID 4944 wrote to memory of 3936	4944	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	83
PID 3936 wrote to memory of 3128	3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	84
PID 3936 wrote to memory of 3128	3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	84
PID 3936 wrote to memory of 3128	3936	807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe	84

C:\Users\Admin\AppData\Local\Temp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
"C:\Users\Admin\AppData\Local\Temp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe.tmp

Filesize
3.8MB

MD5
01b29e41c3bf9514c28cd960b1911b0d

SHA1
56e45c5779353aeaa12e17b8b73030952c25c788

SHA256
fb1317f4f7a7c5013ef2e94da325f03859e7d83617ed1cf46469d5295efcbecb

SHA512
aeb378a1f4aafaae98931b5fb9d9463bf7a85c13b27a767efc280756e3f21b837738d26d14dec1d3be5d72d593814e186e8ae1522f7a0203b31f782eee1808a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe.tmp

Filesize
272KB

MD5
4dc6d9cbac7fbccd877b7c278f5be779

SHA1
29eda075af08fe23404eabc2337df66e88df2618

SHA256
e6ee64b22e67865e9c098a2d2b36a88b869fd75d1ec60be6fe7578e86b3e21f7

SHA512
5e5e4355890371dddbd0391e00132bc3dbd7e5027f2c7b4fe1f0a20f5cc4f1f095409d64b5a68e042ef962a5233c08668e8e26e753dbd336ad8861e6d725a91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\CET_Archive.dat

Filesize
8.7MB

MD5
80345e6e05633a783e39a49e707578b5

SHA1
bc393ba85741a957c0d46e5795a2e5749b2ca5a8

SHA256
a1a7ab9eb55cb449f98473cc31ec66f4805cc5273dde67ae19cfcd794599c411

SHA512
1c2447d1557bb2527b20b3b036008921c1390a17c1c419b7ca377b81d21cb648095d6c177e669c5374926eb4f48b66b71b8cb65e346a5342671eccd1bf018109

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\807376f59600671c258c4cf5cfaf89b3933bdef73cd425dae5f0e6fc315b3af1.exe

Filesize
7.0MB

MD5
d34a325ac7de41aba31b49b8ca6223dc

SHA1
d266583df43ccd64a789cf5a348cc13d4773b3b0

SHA256
f207c438301241ded35b175bbc13ea6663925abab7aa4b4c455d8aeec4e5a2a2

SHA512
8b919c3a9e04c2dd25f5a4f26ace298adb12fc703f349e8fad8bd807d980111c1d2ad9f20102433ab7d3d78d937a9617c3cb985b52ed87e72141ce13d7031a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
65KB

MD5
86a624a5531a5a8a5d7f5103dcb158e2

SHA1
7a20a451d76bef93f211f39af2267b1a97c84504

SHA256
45fac27f69fa3a767d56a75d09d9d6c726480695cbf175062a2f5baf625151d1

SHA512
ea624de4e9a90121198c726cf41c07a6ca1772250083bd9157151c089e67a4ee9ba19efaf2b5391b5764fd315156b501279eeba27d634ab4fc1891b41eaf5cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\defines.lua

Filesize
5KB

MD5
d8f9b4a10a48ebd8936255f6215c8a43

SHA1
7d8ff0012fa9d9dcf189c6df963f1c627f2ccb76

SHA256
d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2

SHA512
67db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\lua5.1-32.dll.tmp

Filesize
406KB

MD5
1cee7b9841467e6b755f80087d3bc001

SHA1
6c720dd7b1b153d7a3f64b6292442fb051e575c5

SHA256
c723c76ef48d5dc6269d5fa2b15b1aa56d2e383cd4859fd6efb0a9d010675df8

SHA512
9bad6ed96abae071365cd520ba7c821b450c912a810a42cd7ed7c052cf42aa42b6bf45ed73ad7cb610724a389b3aaf65f1b23c45834381ecad53552ed5684cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA681.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
\??\c:\program files\common files\system\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
memory/3128-173-0x00000000133E0000-0x0000000013CEF000-memory.dmp

Filesize
9.1MB

Download
memory/3128-106-0x00000000133E0000-0x0000000013CEF000-memory.dmp

Filesize
9.1MB

Download
memory/3128-107-0x00000000133E0000-0x0000000013CEF000-memory.dmp

Filesize
9.1MB

Download
memory/3128-80-0x000000000B580000-0x000000000B581000-memory.dmp

Filesize
4KB

Download
memory/3128-110-0x0000000001BD0000-0x0000000001C00000-memory.dmp

Filesize
192KB

Download
memory/3128-190-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/3128-109-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/3128-172-0x00000000133E0000-0x0000000013CEF000-memory.dmp

Filesize
9.1MB

Download
memory/3128-116-0x0000000000400000-0x0000000000B2A000-memory.dmp

Filesize
7.2MB

Download
memory/3128-148-0x0000000010000000-0x0000000010056000-memory.dmp

Filesize
344KB

Download
memory/3128-82-0x0000000000400000-0x0000000000B2A000-memory.dmp

Filesize
7.2MB

Download
memory/3128-74-0x0000000001BD0000-0x0000000001C00000-memory.dmp

Filesize
192KB

Download
memory/3936-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3936-108-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3936-147-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3936-136-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3936-128-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3936-115-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-83-0x0000000075665000-0x0000000075666000-memory.dmp

Filesize
4KB

Download
memory/4944-48-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-75-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-85-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-45-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-42-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-41-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-36-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-33-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-47-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-30-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-24-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-20-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-46-0x0000000000746000-0x0000000000749000-memory.dmp

Filesize
12KB

Download
memory/4944-17-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-117-0x0000000075665000-0x0000000075666000-memory.dmp

Filesize
4KB

Download
memory/4944-119-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-49-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-135-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-76-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-146-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-73-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-14-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download
memory/4944-8-0x0000000000746000-0x0000000000749000-memory.dmp

Filesize
12KB

Download
memory/4944-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-4-0x0000000000650000-0x0000000000F5F000-memory.dmp

Filesize
9.1MB

Download