5bec4cee05762294b3dfe2cc4e26ef5f33aaceb4c1f1a0bc40c595f45a321665

General

Target

Fluxus V7.exe
Size

2.9MB
MD5

9a75daf4d0c193193b7e0ac38fde5382
SHA1

22da0286430384889f3db0f5c56c72ebb577b0b0
SHA256

5bec4cee05762294b3dfe2cc4e26ef5f33aaceb4c1f1a0bc40c595f45a321665
SHA512

5274cf52c9086f0248d3298e3b1430451f1a960588cf4e4da3f8b927338fb520232edb056043b70f38031ee397bc0074705feb4a489066f63454fcb15b544bb8
SSDEEP

49152:PFvJA52joYoYdnZOYoB1oAzOBC5tMqiNHw+W7SCwGpv8M8w:zXoYoYdnZOYosHTgBkM

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2384	Fluxus V7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Fluxus V7.exe
File opened (read-only)	\??\H:	Fluxus V7.exe
File opened (read-only)	\??\J:	Fluxus V7.exe
File opened (read-only)	\??\N:	Fluxus V7.exe
File opened (read-only)	\??\U:	Fluxus V7.exe
File opened (read-only)	\??\X:	Fluxus V7.exe
File opened (read-only)	\??\Y:	Fluxus V7.exe
File opened (read-only)	\??\M:	Fluxus V7.exe
File opened (read-only)	\??\Q:	Fluxus V7.exe
File opened (read-only)	\??\V:	Fluxus V7.exe
File opened (read-only)	\??\W:	Fluxus V7.exe
File opened (read-only)	\??\E:	Fluxus V7.exe
File opened (read-only)	\??\G:	Fluxus V7.exe
File opened (read-only)	\??\I:	Fluxus V7.exe
File opened (read-only)	\??\O:	Fluxus V7.exe
File opened (read-only)	\??\P:	Fluxus V7.exe
File opened (read-only)	\??\A:	Fluxus V7.exe
File opened (read-only)	\??\K:	Fluxus V7.exe
File opened (read-only)	\??\L:	Fluxus V7.exe
File opened (read-only)	\??\R:	Fluxus V7.exe
File opened (read-only)	\??\S:	Fluxus V7.exe
File opened (read-only)	\??\T:	Fluxus V7.exe
File opened (read-only)	\??\Z:	Fluxus V7.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fluxus V7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Fluxus V7.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Fluxus V7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Fluxus V7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	Fluxus V7.exe
2384	Fluxus V7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	Fluxus V7.exe
Token: SeShutdownPrivilege	2384	Fluxus V7.exe
Token: SeCreatePagefilePrivilege	2384	Fluxus V7.exe

C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnfzw1ln.qcz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\FluxusAuth.dll

Filesize
2.3MB

MD5
5f61a0d8682cdbb0f374ed7a129802e3

SHA1
97eed98eb668862b40f076bb52072b9abd98a480

SHA256
90622a0ecf48de333c4fba0dc816f619314d42b196a325d0e64817e97a4fd7ff

SHA512
520c9610e27df6f5cca5f7add8e0d421eb2b850f96c98ab1186e23c5ecc4565535b8598dd69ecbdf63dc8758f61e9ddec5e64a06e193377ae50a2b8752256484

Download Submit
memory/2384-40-0x000000000DAE0000-0x000000000DAFE000-memory.dmp

Filesize
120KB

Download
memory/2384-3-0x00000000093E0000-0x00000000093E8000-memory.dmp

Filesize
32KB

Download
memory/2384-41-0x000000000DBD0000-0x000000000DC1A000-memory.dmp

Filesize
296KB

Download
memory/2384-42-0x000000000E650000-0x000000000E9A7000-memory.dmp

Filesize
3.3MB

Download
memory/2384-11-0x000000006BC10000-0x000000006C2EE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-14-0x000000000B450000-0x000000000BA7A000-memory.dmp

Filesize
6.2MB

Download
memory/2384-2-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2384-1-0x0000000000320000-0x0000000000604000-memory.dmp

Filesize
2.9MB

Download
memory/2384-33-0x000000000D8B0000-0x000000000D8CA000-memory.dmp

Filesize
104KB

Download
memory/2384-34-0x000000000D910000-0x000000000D946000-memory.dmp

Filesize
216KB

Download
memory/2384-35-0x000000000DFD0000-0x000000000E64A000-memory.dmp

Filesize
6.5MB

Download
memory/2384-38-0x000000000DB10000-0x000000000DB76000-memory.dmp

Filesize
408KB

Download
memory/2384-37-0x000000000D9A0000-0x000000000D9C2000-memory.dmp

Filesize
136KB

Download
memory/2384-36-0x000000000DA00000-0x000000000DA96000-memory.dmp

Filesize
600KB

Download
memory/2384-39-0x000000000EC00000-0x000000000F1A6000-memory.dmp

Filesize
5.6MB

Download
memory/2384-0-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/2384-5-0x00000000096C0000-0x00000000096CE000-memory.dmp

Filesize
56KB

Download
memory/2384-43-0x000000000DEF0000-0x000000000DF56000-memory.dmp

Filesize
408KB

Download
memory/2384-4-0x0000000009700000-0x0000000009738000-memory.dmp

Filesize
224KB

Download
memory/2384-44-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2384-45-0x000000000DFA0000-0x000000000DFC2000-memory.dmp

Filesize
136KB

Download
memory/2384-46-0x000000000F470000-0x000000000F4BC000-memory.dmp

Filesize
304KB

Download
memory/2384-47-0x00000000FF290000-0x00000000FF2A0000-memory.dmp

Filesize
64KB

Download
memory/2384-56-0x0000000010320000-0x000000001033E000-memory.dmp

Filesize
120KB

Download
memory/2384-57-0x0000000010340000-0x00000000103E4000-memory.dmp

Filesize
656KB

Download
memory/2384-58-0x00000000105C0000-0x00000000105CA000-memory.dmp

Filesize
40KB

Download
memory/2384-59-0x00000000105D0000-0x00000000105E1000-memory.dmp

Filesize
68KB

Download
memory/2384-60-0x00000000105F0000-0x00000000105FE000-memory.dmp

Filesize
56KB

Download
memory/2384-61-0x0000000010620000-0x0000000010635000-memory.dmp

Filesize
84KB

Download
memory/2384-62-0x0000000010670000-0x000000001068A000-memory.dmp

Filesize
104KB

Download
memory/2384-63-0x0000000010690000-0x0000000010698000-memory.dmp

Filesize
32KB

Download
memory/2384-64-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/2384-65-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2384-66-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2384-68-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2384-69-0x00000000FF290000-0x00000000FF2A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads