floxif | 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9

Analysis

max time kernel
141s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe
Size

281KB
MD5

4a9d8f2b67d2c90900e0a47940f88d5f
SHA1

9dc989d14bb2625d01b14c55563ef0f41f861e92
SHA256

4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9
SHA512

c122bb3e3f36172bdb633f6121d9e53f209463ac972620ecb8b6d09b2438e4f2b37effbb0f210ca5bdc9f2ca5752a3af3515fb4c70901934a2466f1f08087b67
SSDEEP

3072:vHrfzYPc6ElLW4l/DReos0gXf+EvC6C36eCWdMuoB+UKrRiEOB9dXCQT1X/MK0dA:jnl/DRfkTC3dM7B+mCGQcAExQ6h1tWm

Score

10^/10

floxif backdoor trojan upx

Malware Config

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c000000015635-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000015635-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000015635-1.dat	upx
behavioral1/memory/2556-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2556-6-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	2556	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2904	2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe	29
PID 2556 wrote to memory of 2904	2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe	29
PID 2556 wrote to memory of 2904	2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe	29
PID 2556 wrote to memory of 2904	2556	4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe	29

C:\Users\Admin\AppData\Local\Temp\4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe
"C:\Users\Admin\AppData\Local\Temp\4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 204
  2⤵
  - Program crash
  PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
memory/2556-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2556-5-0x0000000001120000-0x0000000001155000-memory.dmp

Filesize
212KB

Download
memory/2556-6-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download