floxif | 2e08840a9a03c5070d1ff522d39f2918350f6b6f1681ad8afe19c6c8c1c46b4b

General

Target

540e29d433a62e86b834b9689058dd10N.exe
Size

164KB
MD5

540e29d433a62e86b834b9689058dd10
SHA1

29ec51f76995586ede29ab3982e34ce78cc4b0b9
SHA256

2e08840a9a03c5070d1ff522d39f2918350f6b6f1681ad8afe19c6c8c1c46b4b
SHA512

6cde6b3861032dc5347266d7226a535467bceb0ef62a3bbca77a772bdf5bfe05264bf1c8dfb038e44949c91bfb5131cc4607341e99b3715401e6df000d015ac6
SSDEEP

3072:c0poOfa6+Juc7ZaKHKp2lQBV+UdE+rECWp7hKt/b:c0ppi6+JDZlHK9BV+UdvrEFp7hKtj

Score

10^/10

floxif phorphiex backdoor evasion loader persistence trojan upx worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
55a4er5wo
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysmablsvr.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmablsvr.exe

Phorphiex payload 5 IoCs

Processes:

resource	yara_rule
C:\Windows\sysmablsvr.exe	family_phorphiex
behavioral1/memory/2384-31-0x0000000000400000-0x0000000000419000-memory.dmp	family_phorphiex
behavioral1/memory/2384-71-0x0000000000400000-0x0000000000419000-memory.dmp	family_phorphiex
behavioral1/memory/2384-76-0x0000000000400000-0x0000000000419000-memory.dmp	family_phorphiex
behavioral1/memory/2384-82-0x0000000000400000-0x0000000000419000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

sysmablsvr.exe2857325222.exe

pid process

2384 sysmablsvr.exe
2684 2857325222.exe
Loads dropped DLL 3 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exesysmablsvr.exe

pid process

1700 540e29d433a62e86b834b9689058dd10N.exe
2384 sysmablsvr.exe
2384 sysmablsvr.exe

pid	process
2384	sysmablsvr.exe
2684	2857325222.exe

pid	process
1700	540e29d433a62e86b834b9689058dd10N.exe
2384	sysmablsvr.exe
2384	sysmablsvr.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/1700-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-19-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1700-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-28-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-30-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-34-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-37-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-40-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-52-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-57-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

540e29d433a62e86b834b9689058dd10N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	540e29d433a62e86b834b9689058dd10N.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

540e29d433a62e86b834b9689058dd10N.exe

description ioc process

File opened (read-only) \??\e: 540e29d433a62e86b834b9689058dd10N.exe

description	ioc	process
File opened (read-only)	\??\e:	540e29d433a62e86b834b9689058dd10N.exe

Drops file in Program Files directory 2 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exesysmablsvr.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	540e29d433a62e86b834b9689058dd10N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	sysmablsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exe

description	ioc	process
File created	C:\Windows\sysmablsvr.exe	540e29d433a62e86b834b9689058dd10N.exe
File opened for modification	C:\Windows\sysmablsvr.exe	540e29d433a62e86b834b9689058dd10N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exe

pid process

1700 540e29d433a62e86b834b9689058dd10N.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exesysmablsvr.exe

description pid process

Token: SeDebugPrivilege 1700 540e29d433a62e86b834b9689058dd10N.exe
Token: SeDebugPrivilege 2384 sysmablsvr.exe

pid	process
1700	540e29d433a62e86b834b9689058dd10N.exe

description	pid	process
Token: SeDebugPrivilege	1700	540e29d433a62e86b834b9689058dd10N.exe
Token: SeDebugPrivilege	2384	sysmablsvr.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

540e29d433a62e86b834b9689058dd10N.exesysmablsvr.exe

description	pid	process	target process
PID 1700 wrote to memory of 2384	1700	540e29d433a62e86b834b9689058dd10N.exe	sysmablsvr.exe
PID 1700 wrote to memory of 2384	1700	540e29d433a62e86b834b9689058dd10N.exe	sysmablsvr.exe
PID 1700 wrote to memory of 2384	1700	540e29d433a62e86b834b9689058dd10N.exe	sysmablsvr.exe
PID 1700 wrote to memory of 2384	1700	540e29d433a62e86b834b9689058dd10N.exe	sysmablsvr.exe
PID 2384 wrote to memory of 2684	2384	sysmablsvr.exe	2857325222.exe
PID 2384 wrote to memory of 2684	2384	sysmablsvr.exe	2857325222.exe
PID 2384 wrote to memory of 2684	2384	sysmablsvr.exe	2857325222.exe
PID 2384 wrote to memory of 2684	2384	sysmablsvr.exe	2857325222.exe

C:\Users\Admin\AppData\Local\Temp\540e29d433a62e86b834b9689058dd10N.exe
"C:\Users\Admin\AppData\Local\Temp\540e29d433a62e86b834b9689058dd10N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\sysmablsvr.exe
  C:\Windows\sysmablsvr.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\2857325222.exe
    C:\Users\Admin\AppData\Local\Temp\2857325222.exe
    3⤵
    - Executes dropped EXE
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\366930305.exe

Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\85448269.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Windows\sysmablsvr.exe

Filesize
164KB

MD5
540e29d433a62e86b834b9689058dd10

SHA1
29ec51f76995586ede29ab3982e34ce78cc4b0b9

SHA256
2e08840a9a03c5070d1ff522d39f2918350f6b6f1681ad8afe19c6c8c1c46b4b

SHA512
6cde6b3861032dc5347266d7226a535467bceb0ef62a3bbca77a772bdf5bfe05264bf1c8dfb038e44949c91bfb5131cc4607341e99b3715401e6df000d015ac6

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\2857325222.exe

Filesize
7KB

MD5
2ee804f53de2ca40325d076df205e01a

SHA1
ba09c1ec54c7347979aedf1cacb9c41fc55d3d0a

SHA256
351a2c3c64f6114b3f71f96167b364b821ec5c572bf777fcd6636478500b4d8d

SHA512
c52b5f65e544ed9d788d5dc586623da8164aee63f4b60113833a51bc230ed8025a63959233f15f87fc24b1f35a0a90350cb00052a66d36ce1920a59eb2ac8955

Download Submit
memory/1700-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1700-20-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-37-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-57-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-31-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2384-40-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-30-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-28-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-52-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-34-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-21-0x000000000040B000-0x000000000040E000-memory.dmp

Filesize
12KB

Download
memory/2384-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-71-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2384-19-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-76-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2384-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-82-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads