Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 16:23

General

  • Target

    2024-09-16_18b5196c49a9611141dd28e90986e4b5_floxif_magniber.exe

  • Size

    10.2MB

  • MD5

    18b5196c49a9611141dd28e90986e4b5

  • SHA1

    d0714355ee4eca860a45d08ac33ca1761df828dd

  • SHA256

    4994d99b024a69536c6df49657916c91ff00d64d371a27c52be4bf85f45fb037

  • SHA512

    b82c3f8c22652dbf2c96e2b8b2b5e4744626c7896918cb12f7b55fbac9d5b3b37af54b68ccad6ed00d6f4aa257e5fcde9fe178e09fbf13f796e86bfc4b5c5421

  • SSDEEP

    196608:vdad4T0xcsSB5orrcbSsi0s/lmPJ7N3VvXWrqufezvqT:ladCoXrlAJ7N3pXW2uGzyT

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Blocklisted process makes network request 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-16_18b5196c49a9611141dd28e90986e4b5_floxif_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-16_18b5196c49a9611141dd28e90986e4b5_floxif_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2388
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 71C089D00ECF18A7BB2732ADDD1581DC
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\AppData\Local\Temp\9BBD282D-ED7F-4BDD-B51E-9EE81ED45235\lite_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\9BBD282D-ED7F-4BDD-B51E-9EE81ED45235\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\6780B1D1-9B50-4B1B-A023-B12D7A4359C0\seederexe.exe
        "C:\Users\Admin\AppData\Local\Temp\6780B1D1-9B50-4B1B-A023-B12D7A4359C0\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\C40F55C1-3091-4DA0-A6B2-BC3C3E4E0755\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Local\Temp\C40F55C1-3091-4DA0-A6B2-BC3C3E4E0755\sender.exe
          C:\Users\Admin\AppData\Local\Temp\C40F55C1-3091-4DA0-A6B2-BC3C3E4E0755\sender.exe --send "/status.xml?clid=9183476&uuid=2f221db0-49CA-463E-B6A2-07FE0E27a473&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:9636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76dcba.rbs

    Filesize

    575B

    MD5

    d925e335f6c4c1c0b980b27400b4ad87

    SHA1

    240a13b3476e66e4db6069e1454495a6d0579901

    SHA256

    8b2a8055b09bdffb0b4ae3fac79ee6998e801d4e3439e4c9f468874c01519e61

    SHA512

    4c16aec19b81dd0466e6c2288922f286a829c49605b5e99caa61f5e12a29a63ba4ca2b97b5ea040e276c67a7de881203329c44d125475a871f627187e73e994e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0ad6da668e5209f5ea5416a7fb2437dd

    SHA1

    5903fc4a4a6e87b7b9a7ae923399f7a1dfbc7ce5

    SHA256

    a74db77446a647c6c5cc05fb2cd102b9e3e691da79251d431ebe759f9e99bf44

    SHA512

    752eeb68c557d50782b30451692779d732756d205f9322ca4f34a291ff3f14ceccfa5911f385f68b65d784bc4b3abf029efe71f8aba2c462219bb582b1b40bad

  • C:\Users\Admin\AppData\Local\Temp\C40F55C1-3091-4DA0-A6B2-BC3C3E4E0755\sender.exe

    Filesize

    260KB

    MD5

    f1a8f60c018647902e70cf3869e1563f

    SHA1

    3caf9c51dfd75206d944d4c536f5f5ff8e225ae9

    SHA256

    36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577

    SHA512

    c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

  • C:\Users\Admin\AppData\Local\Temp\CabD4FD.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

    Filesize

    41.3MB

    MD5

    a3454326c54a0fd767862c52af541601

    SHA1

    4c5f30388fb7e36edbf7a420dc176ab168f49e70

    SHA256

    46f3b2b3b25dd9985bc5adeae11561fe998cf0b7d3f95fb3fbe16185065b5c48

    SHA512

    957c54d7a185cdd80c2acd66a6195f7110c59c7b271127bc06d65484a574e0942b5c7bf1e07abd83514cabc8733b169032de431089e14b2d70d27b76eebb5459

  • C:\Users\Admin\AppData\Local\Temp\TarD510.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

    Filesize

    34KB

    MD5

    8c09a7e0cf08e7dbdabc585751633c95

    SHA1

    c3bbff494bebbce6ba25bfa4bad695bd905a5d2d

    SHA256

    419d7e570d865074652fe24780b3ecf02305d17282a50222c55ea4ed170c626e

    SHA512

    bcda64c79a95d9b141ed3791789c634f95b0891d39a300ba82c941683056f22feab0793dde1c3ea6f8b755f8790bf7e3fbe990a929bc454572bbdf6e52b30109

  • C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

    Filesize

    531B

    MD5

    f1083a9453af8796ae5b0df6d4e8ce57

    SHA1

    2567b4c551c179614d213514bed8ceb20e4f97e8

    SHA256

    637a4d28261e4819483ca7296cf6b6eb5768e2e82b218a3edca4c007b9941788

    SHA512

    fd5993494290326be52da2105ca176c588f490fd9c4a98514178a1459887064b6bd09f4e4168dd1a35a2e5e5b58b887cfc0e595e4b1a8e2a79bc93c2ea1cd880

  • C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

    Filesize

    510B

    MD5

    c528466ba6d4f66966aa31021aa339dc

    SHA1

    ee953f22f33b25d80cbfe250d64fed4d2da80091

    SHA256

    546e928b7127a4515b089f0b913078404b664a5df33c928a281888c25b03760f

    SHA512

    ebd159dbc6f47b6f70e4f47d9de6bc540c86c915c44df7a4dd50c1c6a431303bb06e22382e8a76e9e2399d24263feca64305a74fa4b50314f8b429b141af601c

  • C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

    Filesize

    9.8MB

    MD5

    db69b41b1827ccc598a416e0d32e4a39

    SHA1

    acc35592e318c32d0f4ac768f32f1f8243ba230c

    SHA256

    b5a4c7a05785ac51553953bf951c284ff03a9ac7d1cba15fa391d0b6c7aed5cc

    SHA512

    d40479e0dd384a99fefbc8a43381dde21b2633320393566ecdb2895fa88008794b996d7fac3ddae102c6dd516cdb3c14e3e52ff7371472cc0894c444a4b4d867

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\places.sqlite-20240916162345.807600.backup

    Filesize

    68KB

    MD5

    314cb7ffb31e3cc676847e03108378ba

    SHA1

    3667d2ade77624e79d9efa08a2f1d33104ac6343

    SHA256

    b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

    SHA512

    dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240916162346.057200.backup

    Filesize

    1KB

    MD5

    3adec702d4472e3252ca8b58af62247c

    SHA1

    35d1d2f90b80dca80ad398f411c93fe8aef07435

    SHA256

    2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

    SHA512

    7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240916162346.057200.backup

    Filesize

    313B

    MD5

    af006f1bcc57b11c3478be8babc036a8

    SHA1

    c3bb4fa8c905565ca6a1f218e39fe7494910891e

    SHA256

    ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

    SHA512

    3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

  • C:\Users\Admin\AppData\Roaming\Yandex\ui

    Filesize

    36B

    MD5

    5409df99dd8dac818bc8584049d82f41

    SHA1

    4343dfebace62317a90fe44c5f1afc7db648814a

    SHA256

    4c041210104c559f50de46641ac898645ecc5011a5711f1643dce5de58c6e323

    SHA512

    8c2019765836df3b3a807ac50de6f23453456fe2cc97934e0d59ab54d3d843fb994419cb4158b249c36fc295276fdd23cf07f299ce38e11fab5726b98ef5a81e

  • C:\Windows\Installer\MSIE1E5.tmp

    Filesize

    181KB

    MD5

    0c80a997d37d930e7317d6dac8bb7ae1

    SHA1

    018f13dfa43e103801a69a20b1fab0d609ace8a5

    SHA256

    a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

    SHA512

    fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

  • C:\Windows\Installer\MSIE244.tmp

    Filesize

    189KB

    MD5

    e6fd0e66cf3bfd3cc04a05647c3c7c54

    SHA1

    6a1b7f1a45fb578de6492af7e2fede15c866739f

    SHA256

    669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

    SHA512

    fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • \Users\Admin\AppData\Local\Temp\6780B1D1-9B50-4B1B-A023-B12D7A4359C0\seederexe.exe

    Filesize

    8.6MB

    MD5

    225ba20fa3edd13c9c72f600ff90e6cb

    SHA1

    5f1a9baa85c2afe29619e7cc848036d9174701e4

    SHA256

    35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

    SHA512

    97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

  • \Users\Admin\AppData\Local\Temp\9BBD282D-ED7F-4BDD-B51E-9EE81ED45235\lite_installer.exe

    Filesize

    419KB

    MD5

    aafdfaa7a989ddb216510fc9ae5b877f

    SHA1

    41cf94692968a7d511b6051b7fe2b15c784770cb

    SHA256

    688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

    SHA512

    6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

  • memory/2388-3-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2388-475-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2388-5-0x000000000041F000-0x0000000000423000-memory.dmp

    Filesize

    16KB