Malware Analysis Report

2024-12-08 02:39

Sample ID 240914-hbbhqs1anj
Target 89067d7926507a58c377b7690fcb0950N
SHA256 2c484a04a3681dee4f36459fc9ce5959cf2cdc8b859f1c35ea2abaa234fb2961
Tags
floxif backdoor bootkit discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c484a04a3681dee4f36459fc9ce5959cf2cdc8b859f1c35ea2abaa234fb2961

Threat Level: Known bad

The file 89067d7926507a58c377b7690fcb0950N was found to be: Known bad.

Malicious Activity Summary

floxif backdoor bootkit discovery persistence trojan upx

Floxif, Floodfix

Detects Floxif payload

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-14 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-14 06:33

Reported

2024-09-14 06:35

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\lpcio.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
File opened for modification C:\Windows\system32\lpcio.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe

"C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cpuid.com udp
FR 195.154.81.43:443 www.cpuid.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 88.221.135.113:80 e5.o.lencr.org tcp
US 8.8.8.8:53 time-a.timefreq.bldrdoc.gov udp
US 132.163.96.1:37 time-a.timefreq.bldrdoc.gov tcp
US 8.8.8.8:53 time-c.timefreq.bldrdoc.gov udp
US 132.163.96.3:37 time-c.timefreq.bldrdoc.gov tcp
US 8.8.8.8:53 ntps1-0.uni-erlangen.de udp
DE 131.188.3.220:37 ntps1-0.uni-erlangen.de tcp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 nist1.datum.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp
US 45.33.30.197:80 www.aieov.com tcp

Files

memory/2232-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HWMonitorPro64.exe

MD5 c08ebc85e0f04e9768d097733c22a9ab
SHA1 9264cf6638316af44d0b38052f9c9cf1a79d4712
SHA256 c81fbcf64c12450f74c1173aea5d443696d3297f852a177c9d862396ba0fc3a5
SHA512 935ce1e01a3deb201dee833884e5e961f5409f2674d9a4e70bc1dab92f1fe501701827b78ada98aee09882f400ee39629756bb52aa494e5904b38f06a3c299f9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hwmpro.pvk

MD5 8753a6f5df99c053299b89e8139250a4
SHA1 20503dcba4e1ca2e3e24c722e579196714772275
SHA256 5053378813c575af792ccd5942f3a0c2ed9e23c52aae90f82a2066e89c91f68b
SHA512 41ca8fa8aff0ca72678d9bc368a43453d1d9a0a817a03227ffea549abba789944cdbc36ee5f2beadaf4ac0a470bc3bd417aefdb34fa60a0367f29443f53e64c9

\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

MD5 cbb0cfe99fe1ca54335d87515d862ba3
SHA1 cb76865ff91152eb6c59dc15564e8959f6c85628
SHA256 47b3449820b22e0bb31d6d2ce607c5347483c4c68d9b493305b1d9b61774396c
SHA512 797b81e134daab5315dc216fe4844d6420c94da3a393a3847a858fca259560ba72c9c6fc57c5572619feddc5021467581ba087fec52394a2dd858eb17d304f66

C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

MD5 2f13191d5f2eade9dd842ec01855610c
SHA1 8cb84defbb17817270074153f43bd63169feb42c
SHA256 6d097a250fb0c3680caffce72834882c19cf436979b1124d4eb7f17a61aab137
SHA512 650423080fce49328404b2dde498f0ba4875e18e17460639235531da64e74722c69c9e89c17afa697123a576e2e59a53342fbad160d89c92ef27e99a7eeb49a1

memory/2232-65-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2232-64-0x0000000001260000-0x00000000012E5000-memory.dmp

memory/2232-69-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2232-73-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2232-77-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2232-83-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2232-85-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-14 06:33

Reported

2024-09-14 06:35

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe

"C:\Users\Admin\AppData\Local\Temp\89067d7926507a58c377b7690fcb0950N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 956 -ip 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 180

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A