Overview

overview

10

Static

static

3

883e906600...5a.exe

windows7-x64

10

883e906600...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe

  • Size

    2.2MB

  • MD5

    2dd39a2a81148e3863172b0b0a2bf151

  • SHA1

    c18b79bd6e3eae144c89bb4b4801b7264b5b470b

  • SHA256

    883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a

  • SHA512

    2f3805fcc8e09290f540cb53e71d6e92c1f3e13361150211d7906df190efeb125fe8744c1fe9af38eae3204bcd70daa43507f74c976850db7e79344b29502f5a

  • SSDEEP

    49152:cMisvjSytKNwBNHFmxmqQu+UayKzkZhrYNPT:wQO6VF5/u+U+IwlT

Score
10/10
floxifbackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Detects Floxif payload 1 IoCs
    backdoor
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe
    "C:\Users\Admin\AppData\Local\Temp\883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3864
    • \??\c:\users\admin\appdata\local\temp\883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe 
      c:\users\admin\appdata\local\temp\883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4720
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4080
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3332
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1476
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3948
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\883e9066005d6e5d2cfdf3efcb335580135bc49b3c09502f654b491628ebbc5a.exe 
    Filesize

    2.0MB

    MD5

    707e6991906859a13fe6b3619dbc74e7

    SHA1

    55ae92be9e1b398fe7feb31c36563823de4d325c

    SHA256

    8342da3e56702319d7700ffc207cda208c74a76cd8cc40fb76313fb26d4228fe

    SHA512

    12de226c6995cefdafb7dedac2840298255262f2b62672be53f0d18c08eb40d3d97f8adaf43e91aa302328cca38c511804f5e7d5f43db7b032482791d0f8ddc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A1D26E2\BDC21398F18.tmp
    Filesize

    2.1MB

    MD5

    0db5cdb970a0a38f4bc62870c48d97d4

    SHA1

    43d20db36f6e38f821b98c6c65376c1d828fe48a

    SHA256

    5bc5a82bcdeac302b66cc6e922b2e69bf43181ed4ca3c42478a271444575c14d

    SHA512

    34c968b65bcb3ddb6fc9b967693d2f841549d2f7c933c3288a6d3f9ed669caec9d1309fb548471d6822f7ffd8689f29a393fc0759e9f125cfe87767b4d530bfe

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    fbf54982dce6fea7b29f3338afe089a0

    SHA1

    a05d35ef8d5e72143cd12e513cb8d7e544364940

    SHA256

    3a6f984bcfc1f4edf905a1433a261ab4e8c843cf90e6f43b4e79582b3354e84c

    SHA512

    37b703506ede0b9a1f7a4349eed4dbc8d3ade06fa9f1ad6c6dfc7f3a10466b559a5c9e767141eb1aef9ded0d080f63ce703b506632e3bf34979eba18479321fb

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    b01553984e8574ca7ba3f2e79c270f2e

    SHA1

    0e2fa61b069122ba166a0ac7285a5594807593fc

    SHA256

    6c635a239a9a3c65abf6ae6a9169a255150ea2fad5ba4bf091c911e828813e4b

    SHA512

    bb1b9952f8fdbd142d6df1009aecc1f36231a67e36857058d753f79958e1d142ee7d50433b8a1d04a71e809049b1f0c1eb269699139da0c1259448344dd4cfd2

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    673c83c66a99447ae6cfa683367a0064

    SHA1

    63e58ee4444241b8f74b5a179e265af8196f89fd

    SHA256

    a20a1646b27f2f304c19cb78b83cfe458c5f3d3557aa36ee09f52fbaff560bcc

    SHA512

    a9f29df13e5f7cefa450995aa881df3c6bbd8ba3d759f19298cb60d5fbd248fded74323b8f34e90923e6bdb3035adb84ce6cc7cbe5607539995e33887690526b

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    3b2ad4615fbeaece33d6acaa9fd806cb

    SHA1

    a1a2a0ba1166bc4df242ff8669ef19681bcae0f6

    SHA256

    0d9815513b3d359433643aecd0c9aeb2d80fcee043cefa38786d3cd9556970ad

    SHA512

    9f106db7b1c0abbdd53a06df96600553cf102be5a13026ea74a85bc82afdb33765d5ae8df0a9978b92fbb76053cb6dddcd24cbab377fa22fb4b1c34fa2d45a46

    Download Submit

  • memory/1476-60-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1476-82-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1476-59-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1476-81-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3332-106-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3332-104-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3332-92-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3332-90-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3332-44-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3864-5-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3864-10-0x0000000000411000-0x0000000000414000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3864-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3864-63-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3864-88-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3864-89-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3948-69-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3948-91-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3948-107-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4080-87-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4080-84-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4080-86-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4080-31-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4080-34-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4528-78-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4528-79-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4528-73-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4528-75-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4720-22-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4720-29-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4720-18-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4720-28-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download