Malware Analysis Report

2025-06-16 02:04

Sample ID 240728-hcvm1awfpe
Target f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37
SHA256 f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37
Tags
floxif backdoor discovery trojan upx persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37

Threat Level: Known bad

The file f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37 was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery trojan upx persistence privilege_escalation

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

UPX packed file

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 06:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 06:35

Reported

2024-07-28 06:38

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"

C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe" -el -s2 "-dX:\Tools\Portable_Vgo2000" "-sp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.18.44:80 www.aieov.com tcp

Files

memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\Users\Admin\AppData\Local\Temp\A1D26E2\EC04A908C8.tmp

MD5 59910de3291fa9293f97d4999cd856bf
SHA1 acca7c6f46ec8be28972c5f67194a98ea61f526b
SHA256 87aaf8c93652ce12efd8f4fcb2c3297c12378ae8cc6da3a4f409298270a30c36
SHA512 34d6352629ad8023b2c52cf2d6feb801ce03a5e4bb29ea9c92c82a8b6f5b03ac2b4bbac8e5606e72baf1facf24370388a01cab586435a9dbfae9be8a1be00b81

memory/2712-12-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

MD5 05c748697954cd5693ee4bfaa84d6cb2
SHA1 150fd9ede55901828664d08e8970c188c16d88fb
SHA256 ddcecfcad5453679d3f1ca4a71e89d9dce4c0f65ddd60b8ca19d4679c65af3f1
SHA512 b6cc5b8a3640228eae0582c8c8508a6831da34c16613f7318e5c33fba0656948aa4864fd3a6f4980469b25ca81a695202807fa0f983eb24e488cecd2d901beff

\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

MD5 afee8d425af7853bee2f9bd11ebe49f6
SHA1 50982a65b43299cb845fd6b484e5d9911f3e959b
SHA256 63cb0e76635388028def396334b2541e13928b18c935a2a5f40aaa91b0cb3a90
SHA512 c67a07f90b3868eca5804f37db83128e7eacd8d845a451e27a76a1b558d03bfecf389feaa0a1d7f10d99586af3f1a35684a649426a4b3ba1d683372ae631dbe6

memory/2712-33-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2712-31-0x0000000000AD0000-0x0000000000B6C000-memory.dmp

memory/2248-36-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2248-34-0x0000000000AD0000-0x0000000000B6C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 06:35

Reported

2024-07-28 06:38

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe"

C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe

"C:\Users\Admin\AppData\Local\Temp\f885b625bb844eea4fa2b974eaeea0e2f1b5db792ba991243f3b2d004a5ccb37.exe" -el -s2 "-dX:\Tools\Portable_Vgo2000" "-sp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.aieov.com udp
US 173.255.194.134:80 www.aieov.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 134.194.255.173.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 173.255.194.134:80 www.aieov.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3580-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3580-5-0x00000000006E3000-0x00000000006E4000-memory.dmp

memory/3580-6-0x00000000006E0000-0x000000000077C000-memory.dmp

memory/3580-10-0x00000000006E0000-0x000000000077C000-memory.dmp

memory/5088-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/5088-17-0x0000000002930000-0x0000000002960000-memory.dmp

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp

MD5 f7d534dc69f60ad1b658a56841639e47
SHA1 435685cf125391818c74c084fc003e3fd97627e2
SHA256 150bd9bfe6822219e71b977887e8b41ad7269144520c44389a9fc07e335bf464
SHA512 c31ceb5b594b6c703b8c7c962e8a897f288c41231ffeac821d278effd8151126a96cde7e9a1f0016392b5f88e99771caf1bcb8c6f09ed06a298287344884a664

C:\Users\Admin\AppData\Local\Temp\A1D26E2\C3FC7B413E0.tmp

MD5 59910de3291fa9293f97d4999cd856bf
SHA1 acca7c6f46ec8be28972c5f67194a98ea61f526b
SHA256 87aaf8c93652ce12efd8f4fcb2c3297c12378ae8cc6da3a4f409298270a30c36
SHA512 34d6352629ad8023b2c52cf2d6feb801ce03a5e4bb29ea9c92c82a8b6f5b03ac2b4bbac8e5606e72baf1facf24370388a01cab586435a9dbfae9be8a1be00b81

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp

MD5 8b1cd0fc4ae9980f8298031f18f7e5dd
SHA1 aea17fe91c6dc82154ca818db3bb3e749d9c48d5
SHA256 7dc1f71aa016930c5f5328da7fa65f915699723193cefe66587868a44060a5b9
SHA512 10d4e6ffd2ae66a1bf0718e4f74d4819608b143d6e4d305cbc7155440efe4c8225e82b6c9c6b3165300ffd54154ab665959a5954494c425c3119f3f2e2f1a3c9

memory/5088-31-0x0000000010000000-0x0000000010030000-memory.dmp

memory/5088-30-0x00000000006E0000-0x000000000077C000-memory.dmp

memory/3580-33-0x00000000006E0000-0x000000000077C000-memory.dmp

memory/3580-35-0x0000000010000000-0x0000000010030000-memory.dmp