Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

29f3f594dc...0N.exe

windows7-x64

10

29f3f594dc...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 23:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29f3f594dc3b8b7ff2743be4db5cd510N.exe

  • Size

    809KB

  • MD5

    29f3f594dc3b8b7ff2743be4db5cd510

  • SHA1

    e5974c9813348734683af5613fa7c6619914f282

  • SHA256

    c8979eda937db005ab257214717d41aa31de3d6f93750fabea6905ddfe86f973

  • SHA512

    bbef8697b7f82cf6bad929dc3f559bd6c103b056247c6f2122aa1a42e5bc500965d2cd704f96dbc925f36f1de7c5e3090f612924950b59e2754dc1d31f09abbd

  • SSDEEP

    24576:bV5s52aTTUJtySrl3RerElTwsI4xUrEH7c0:brnaYySr3iV0

Score
10/10
floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29f3f594dc3b8b7ff2743be4db5cd510N.exe
    "C:\Users\Admin\AppData\Local\Temp\29f3f594dc3b8b7ff2743be4db5cd510N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 328
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2784

Network

  • flag-us
    DNS
    5isohu.com
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    www.aieov.com
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    198.58.118.167
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    45.33.30.197
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    45.33.20.235
    www.aieov.com
    IN A
    96.126.123.244
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    45.33.23.183
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    72.14.185.43
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:12 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:21 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:30 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:39 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:48 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    WerFault.exe
    Remote address:
    198.58.118.167:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 25 Aug 2024 23:47:57 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     503 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     529 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     529 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     503 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     529 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 198.58.118.167:80
    http://www.aieov.com/logo.gif
    http
    WerFault.exe
    290 B
     529 B
     5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 8.8.8.8:53
    5isohu.com
    dns
    56 B
     117 B
     1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    www.aieov.com
    dns
    59 B
     251 B
     1
    1

    DNS Request

    www.aieov.com

    DNS Response

    198.58.118.167
    45.56.79.23
    45.33.2.79
    45.33.30.197
    45.79.19.196
    45.33.18.44
    45.33.20.235
    96.126.123.244
    173.255.194.134
    45.33.23.183
    72.14.178.174
    72.14.185.43

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • memory/1892-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1892-1-0x0000000001380000-0x000000000156D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1892-6-0x0000000001559000-0x000000000155A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-8-0x0000000001380000-0x000000000156D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1892-9-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.