floxif | f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
Size

5.5MB
MD5

3fb96e542684a5701c015af586e5f029
SHA1

dabfb827e7fbb71d3b6579812fb7b3fc823c27ef
SHA256

f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab
SHA512

4c218621ff5ceba4b62e9000430842121d30638fe7eec29da6897b04f4f0403f266a1ad211b839e5346d450426273495f6eff2bb34916f1b1536771f12e505c7
SSDEEP

98304:nL3sebimvssymgWKBclaxuHPCyTCaZHYI/MH/Fzz/kkLtiNy1FlHOLg5VPbik2Pq:L8e/vssymg7B0a4HayTLZH9INzzc8A0R

Score

10^/10

floxif backdoor trojan upx

Malware Config

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000012118-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012118-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2644	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
2644	Setup.exe
2644	Setup.exe
2644	Setup.exe
2644	Setup.exe
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012118-1.dat	upx
behavioral1/memory/2108-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-128-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-132-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-136-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-140-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-144-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2108-151-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
2644	Setup.exe
2644	Setup.exe
2644	Setup.exe
2644	Setup.exe
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30
PID 2108 wrote to memory of 2644	2108	f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe	30

C:\Users\Admin\AppData\Local\Temp\f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe
"C:\Users\Admin\AppData\Local\Temp\f2332406870d3dcaf54272654fa0e2848fd0669be77611c8539963c1585a90ab.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\c59b0bc8bf601cb1c2b0e4c0457e\Setup.exe
  C:\c59b0bc8bf601cb1c2b0e4c0457e\\Setup.exe /x86 /x64 /lcid 1028 /lpredist
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIB6D2.tmp.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\1028\LocalizedData.xml

Filesize
66KB

MD5
dd3ad33223028106f08429fad2df95e0

SHA1
db8f0aed0f5f88ece06660994dc082d78f887047

SHA256
dde16272780f3fc110c93128f09bd2bf674df045cbd683244b092bfbff4db66f

SHA512
abee07bd9618da3b902cfc484e02012672a46da4c4a7a98d46b501c60d668103c9a0a5309a4e8b293c0449eb26f8edc86eec10cc3efd85704d6525014951bc74

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\1028\SetupResources.dll

Filesize
26KB

MD5
a803560fb4b5ee19443821c286295a33

SHA1
9c3b21dc32f612bcb6f80fa6917fc8bfc9ba65e7

SHA256
4255ea050c5e25c7baee0cc8194c3affb4c1f213862dc3819cd3dcbf2d937a24

SHA512
f8e2fd0599c1f52e14292c324f50dc8809eb8778c5136a235aa2d7a56313fb4e6c483516234a2900a482afad89c7e6420a42e30532fcce06916c278f521a6d16

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\1033\LocalizedData.xml

Filesize
80KB

MD5
ffd712ff1645648321ed91117f981017

SHA1
bf53f8ce3a4750b7fc4b6569fc5ef7ea20494450

SHA256
e4ec814ecb215c2f83ab2d6da5ae80d6ebdc015da2ea8f028657f35e632c4540

SHA512
f633fe71f63fd8661174636232ad07e387c38a52dd0dcc0f8573376ca411a61e870d11c95cc537eacc5f381ea372c830814b5c5857848672f2b4469eeafa1533

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\ParameterInfo.xml

Filesize
1.2MB

MD5
b16a8dd5389b0201623a84a04bd497d1

SHA1
149c3a044d7af6325edfa521c7a690cd4442f78e

SHA256
3e11c62dac8fbc705168fee32a56ef4e49f56bba33506c63023b93de7f8b7a0a

SHA512
7e9ca9c4901ce6c9d96e6bc027fb39dde2f4ad6a9165f08e75c637cd02cc41ca4f9d4ff4096168c5acf1ed2d0a1c0ae6bea290c7dae8c40defeb893d729365fd

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\SetupEngine.dll

Filesize
901KB

MD5
87125d428eb7b400af6822af0c4e72dd

SHA1
67dc6ef3ae8e32fda9e941d450ae9e0adbcf3982

SHA256
d199d038d59d3b6a219258009635699226d835bf9163357e9458352b6578b157

SHA512
d4ca91b014557827449426d00689f86599a6d7bdd231c358d1666001dfa73d54e199b695a8cb5c21aab7e191b01bdc7e031d6a9288af27b6b271f736d963ceb6

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\SetupUi.dll

Filesize
342KB

MD5
e31641c114d66ea24d79ed4032269dd0

SHA1
911fd6d8e62c61a76a464306f84c9b80e93467aa

SHA256
3b9822668816a77b623258f8036120eaa5da5d74b16aadfc601cb0e513a56461

SHA512
dc7377cadda1bf63c7df267f3313f916a92363004ab8859e6f3a77aa7938d20de0f6857b8842e6424de2749cf6686f35898002054d8f9c4ed4f5775035cec54c

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\SetupUi.xsd

Filesize
31KB

MD5
a9f6a028e93f3f6822eb900ec3fda7ad

SHA1
8ff2e8f36d690a687233dbd2e72d98e16e7ef249

SHA256
aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848

SHA512
1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\SplashScreen.bmp

Filesize
117KB

MD5
bc32088bfaa1c76ba4b56639a2dec592

SHA1
84b47aa37bda0f4cd196bd5f4bd6926a594c5f82

SHA256
b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7

SHA512
4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\UiInfo.xml

Filesize
35KB

MD5
8ace169bf65675c089e0327d5b1f7437

SHA1
43646e29c878f58ac4b5d7c192d11b3becd9e9f6

SHA256
8f7847cfc9ec70b6758f6fbe9b98809ca7bf8ecb25bf9b3a8e7e052b83dfa94b

SHA512
3e98f8351e96bab4b8cecf93e590c722233d119d7cec76445a0b170f69de647bd65eafeafecc8888573e986b3f80403480728c7a1e014961fbd60dc169ca5db7

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\graphics\print.ico

Filesize
123KB

MD5
d39bad9dda7b91613cb29b6bd55f0901

SHA1
6d079df41e31fbc836922c19c5be1a7fc38ac54e

SHA256
d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6

SHA512
fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\graphics\save.ico

Filesize
123KB

MD5
c66bbe8f84496ef85f7af6bed5212cec

SHA1
1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1

SHA256
1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd

SHA512
5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\graphics\setup.ico

Filesize
123KB

MD5
6125f32aa97772afdff2649bd403419b

SHA1
d84da82373b599aed496e0d18901e3affb6cfaca

SHA256
a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5

SHA512
c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\graphics\stop.ico

Filesize
185KB

MD5
7d1bccce4f2ee7c824c6304c4a2f9736

SHA1
2c21bf8281ac211759b1d48c6b1217dd6ddfb870

SHA256
bfb0332df9fa20dea30f0db53ceaa389df2722fd1acf37f40af954237717532d

SHA512
16f9bf72b2ddc2178a6f1b439dedabe36a82c9293e0e64cfaccbf5297786d33025a5e15aa3c4dc00b878b53fe032f0b7ed3dee476d288195fb3f929037bdcdbe

Download Submit
C:\c59b0bc8bf601cb1c2b0e4c0457e\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\c59b0bc8bf601cb1c2b0e4c0457e\Setup.exe

Filesize
125KB

MD5
d8bdc90b8d9c47548b0789b33c93b266

SHA1
e2287110a405c2988f49a61d859455d41eac7215

SHA256
fd54615d479e33197b7a63873e7468f3e2e5467bdd4384d6471b4d8009f13dcf

SHA512
687cdd99c2ce3075b9cbc8f4113fa2245b01c93607bb15396ea26406eca53181998aa124452dbb4681492e29e273bd14a1b427953e59ade17aa27bbbaf249b14

Download Submit
\c59b0bc8bf601cb1c2b0e4c0457e\SetupEngine.dll.tmp

Filesize
978KB

MD5
1fff6e7291ce0831f32be4ad76e0266f

SHA1
055a1b755b7ed9b1fa74ac98d3000a21c3203c5b

SHA256
b35e121ee4479ec917ebf083e9aecaf7c3ea1d4aa3da1e65096a4002198524ed

SHA512
ad9bdc9c3e6c0e1551a87f7cc6c7b3d7d9de89e725c475bf810e6b7ed1d95ff7ae37e730873733a79dcfc5d207b6197927620f0628212bcf9a190d42cdd17558

Download Submit
memory/2108-128-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-132-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-136-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-140-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-144-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2108-127-0x0000000001090000-0x00000000010C5000-memory.dmp

Filesize
212KB

Download
memory/2108-151-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-153-0x0000000074190000-0x0000000074271000-memory.dmp

Filesize
900KB

Download
memory/2644-165-0x0000000074190000-0x0000000074271000-memory.dmp

Filesize
900KB

Download
memory/2644-174-0x0000000074190000-0x0000000074271000-memory.dmp

Filesize
900KB

Download