Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
12-07-2024 11:21
General
-
Target
540e29d433a62e86b834b9689058dd10N.exe
-
Size
164KB
-
MD5
540e29d433a62e86b834b9689058dd10
-
SHA1
29ec51f76995586ede29ab3982e34ce78cc4b0b9
-
SHA256
2e08840a9a03c5070d1ff522d39f2918350f6b6f1681ad8afe19c6c8c1c46b4b
-
SHA512
6cde6b3861032dc5347266d7226a535467bceb0ef62a3bbca77a772bdf5bfe05264bf1c8dfb038e44949c91bfb5131cc4607341e99b3715401e6df000d015ac6
-
SSDEEP
3072:c0poOfa6+Juc7ZaKHKp2lQBV+UdE+rECWp7hKt/b:c0ppi6+JDZlHK9BV+UdvrEFp7hKtj
Malware Config
Signatures
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Phorphiex payload 1 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects Floxif payload 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\540e29d433a62e86b834b9689058dd10N.exe"C:\Users\Admin\AppData\Local\Temp\540e29d433a62e86b834b9689058dd10N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB