Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 10:30 UTC

General

  • Target

    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe

  • Size

    3.4MB

  • MD5

    bc64976c095fb66a8b7ff82692d46d11

  • SHA1

    d6beb324e6f6058dd4b3902cd907191ce991bfdf

  • SHA256

    2c3d48205a200f13cec47f2b9873f24f07bd41f8884b6713d61d150aa291ad5d

  • SHA512

    61eb7f3fab9bac87e2fc0fa9b045cfe58000bc3798b6c663542766d4fd0185ec174c0caaa0b57a4fe9a9bef7cadd53a50b40beabb86630f7b5f00e8965c95828

  • SSDEEP

    49152:iZi5Wu7I/Bzfz/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hOq:iI5Wt/BzfzW1t0xOouBiCV2Hp

Malware Config

Signatures

  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    238.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    238.187.250.142.in-addr.arpa
    IN PTR
    Response
    238.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f141e100net
  • flag-us
    DNS
    d3n1ms4uhtqgov.cloudfront.net
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    d3n1ms4uhtqgov.cloudfront.net
    IN A
    Response
    d3n1ms4uhtqgov.cloudfront.net
    IN A
    65.9.94.197
    d3n1ms4uhtqgov.cloudfront.net
    IN A
    65.9.94.69
    d3n1ms4uhtqgov.cloudfront.net
    IN A
    65.9.94.120
    d3n1ms4uhtqgov.cloudfront.net
    IN A
    65.9.94.217
  • flag-cz
    GET
    https://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.737
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    65.9.94.197:443
    Request
    GET /latest/il/v4.743.229.737 HTTP/1.1
    Host: d3n1ms4uhtqgov.cloudfront.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Length: 258064
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: private, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0
    Content-Disposition: attachment; filename="ds."; filename*=UTF-8''ds.
    Content-Transfer-Encoding: binary
    Date: Mon, 30 Sep 2024 10:30:34 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Pragma: public
    X-Cache: Miss from cloudfront
    Via: 1.1 8197d89da72990bb606996d5e7c73ab6.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: PRG50-C1
    X-Amz-Cf-Id: mdmIhi_h3NmcDuQFa_F1Xp--qBfhQSVIJ2t69JE6-11Ry3bH7yvGXg==
    Age: 0
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    d1arl2thrafelv.cloudfront.net
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    d1arl2thrafelv.cloudfront.net
    IN A
    Response
    d1arl2thrafelv.cloudfront.net
    IN A
    65.9.94.199
    d1arl2thrafelv.cloudfront.net
    IN A
    65.9.94.209
    d1arl2thrafelv.cloudfront.net
    IN A
    65.9.94.74
    d1arl2thrafelv.cloudfront.net
    IN A
    65.9.94.11
  • flag-cz
    POST
    https://d1arl2thrafelv.cloudfront.net/sec
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    65.9.94.199:443
    Request
    POST /sec HTTP/1.1
    Content-Type: application/json; charset=utf-8
    User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
    Host: d1arl2thrafelv.cloudfront.net
    Content-Length: 330
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/xml
    Content-Length: 8335
    Connection: keep-alive
    Server: awselb/2.0
    Date: Mon, 30 Sep 2024 10:30:35 GMT
    cache-control: no-cache
    content-encoding: gzip
    x-true-request-id: ba590b88-4906-4e38-a4ea-01a53e32d289
    x-robots-tag: none
    expires: Thu, 01 Jan 1970 00:00:00 GMT
    X-Cache: Miss from cloudfront
    Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: PRG50-C1
    X-Amz-Cf-Id: yOBPwV5TSrYZtQF5qm-QpTRKuQAC2_wOFzbGoidviO49XZPq_mnyAg==
  • flag-cz
    GET
    https://d1arl2thrafelv.cloudfront.net/assets/schema/1.0/schema.xsd
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    65.9.94.199:443
    Request
    GET /assets/schema/1.0/schema.xsd HTTP/1.1
    Host: d1arl2thrafelv.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: binary/octet-stream
    Content-Length: 19119
    Connection: keep-alive
    Date: Mon, 30 Sep 2024 02:06:54 GMT
    Last-Modified: Wed, 27 Apr 2022 09:06:59 GMT
    ETag: "5e1c250d9911739c9c67a19ed52c282e"
    x-amz-version-id: 8OO7E0W1zhNgufbqkR3QVyi2FdJBzWmI
    Accept-Ranges: bytes
    Server: AmazonS3
    X-Cache: Hit from cloudfront
    Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: PRG50-C1
    X-Amz-Cf-Id: NaLGTM0WhCw9Mr3UJkF1yMYNDE93KeRl6fxMu4FcI_ph5tbpNCVwsA==
    Age: 30222
  • flag-cz
    GET
    https://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    65.9.94.199:443
    Request
    GET /assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png HTTP/1.1
    Host: d1arl2thrafelv.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: image/png
    Content-Length: 52351
    Connection: keep-alive
    Date: Mon, 30 Sep 2024 04:38:53 GMT
    Last-Modified: Wed, 09 Feb 2022 14:02:19 GMT
    ETag: "a4ddc01527ea03fe7860a551c4b98def"
    x-amz-meta-cb-modifiedtime: Wed, 09 Feb 2022 13:30:15 GMT
    x-amz-version-id: MF8OfEOgboViPhGswB2g9Y9Ltzmexd8P
    Accept-Ranges: bytes
    Server: AmazonS3
    X-Cache: Hit from cloudfront
    Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: PRG50-C1
    X-Amz-Cf-Id: Ssx7AvJDDMHLIDeM6KVXqJnt01rAKPgquHd7butQP6AYa6rjIU1A8Q==
    Age: 21102
  • flag-us
    DNS
    197.94.9.65.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.94.9.65.in-addr.arpa
    IN PTR
    Response
    197.94.9.65.in-addr.arpa
    IN PTR
    server-65-9-94-197prg50r cloudfrontnet
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.aieov.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    45.33.20.235
    www.aieov.com
    IN A
    96.126.123.244
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    72.14.185.43
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    45.33.30.197
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    45.33.23.183
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    198.58.118.167
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:35 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-cz
    GET
    https://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.png
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    65.9.94.199:443
    Request
    GET /assets/WebAdvisor/images/943/darkBG/EN.png HTTP/1.1
    Host: d1arl2thrafelv.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: image/png
    Content-Length: 41518
    Connection: keep-alive
    Date: Mon, 30 Sep 2024 03:11:18 GMT
    Last-Modified: Wed, 23 Nov 2022 15:47:19 GMT
    ETag: "e9a21c273edd34746bfd51c2b7ec342a"
    x-amz-version-id: kp6HZavFYfH51EskSFyLu0ue1tBxqY6q
    Accept-Ranges: bytes
    Server: AmazonS3
    X-Cache: Hit from cloudfront
    Via: 1.1 7bb80b5d9f75710222feac15033d6af0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: PRG50-C1
    X-Amz-Cf-Id: l6PcqZ6qcoLu_D6coonprnOTbniJ5uIOWDHROIJt6TJiomj7bf4ijw==
    Age: 26358
  • flag-us
    DNS
    199.94.9.65.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    199.94.9.65.in-addr.arpa
    IN PTR
    Response
    199.94.9.65.in-addr.arpa
    IN PTR
    server-65-9-94-199prg50r cloudfrontnet
  • flag-us
    DNS
    235.20.33.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.20.33.45.in-addr.arpa
    IN PTR
    Response
    235.20.33.45.in-addr.arpa
    IN PTR
    li974-235memberslinodecom
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:40 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:44 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:49 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:53 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    DNS
    middledata.ldplayer.net
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    middledata.ldplayer.net
    IN A
    Response
    middledata.ldplayer.net
    IN CNAME
    alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.com
    alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.com
    IN A
    8.219.48.146
    alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.com
    IN A
    8.219.136.97
    alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.com
    IN A
    8.219.4.49
  • flag-sg
    POST
    https://middledata.ldplayer.net/collection/biz/upload
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.219.48.146:443
    Request
    POST /collection/biz/upload HTTP/1.1
    Host: middledata.ldplayer.net
    Accept: */*
    Content-Type:application/json;charset=UTF-8
    timestamp: 1727692252218
    signature: 34342d18
    Content-Length: 456
    Response
    HTTP/1.1 200
    Date: Mon, 30 Sep 2024 10:30:54 GMT
    Content-Type: application/json;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Vary: Origin
    Vary: Access-Control-Request-Method
    Vary: Access-Control-Request-Headers
  • flag-us
    DNS
    146.48.219.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.48.219.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:30:58 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5isohu.com
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    GET
    http://www.aieov.com/so.gif
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    Remote address:
    45.33.20.235:80
    Request
    GET /so.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Mon, 30 Sep 2024 10:32:59 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • 65.9.94.197:443
    https://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.737
    tls, http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    5.3kB
    272.9kB
    106
    203

    HTTP Request

    GET https://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.737

    HTTP Response

    200
  • 65.9.94.199:443
    https://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png
    tls, http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    3.2kB
    90.2kB
    43
    74

    HTTP Request

    POST https://d1arl2thrafelv.cloudfront.net/sec

    HTTP Response

    200

    HTTP Request

    GET https://d1arl2thrafelv.cloudfront.net/assets/schema/1.0/schema.xsd

    HTTP Response

    200

    HTTP Request

    GET https://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png

    HTTP Response

    200
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 65.9.94.199:443
    https://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.png
    tls, http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    1.5kB
    43.8kB
    22
    37

    HTTP Request

    GET https://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.png

    HTTP Response

    200
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 8.219.48.146:443
    https://middledata.ldplayer.net/collection/biz/upload
    tls, http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    1.4kB
    4.9kB
    10
    10

    HTTP Request

    POST https://middledata.ldplayer.net/collection/biz/upload

    HTTP Response

    200
  • 45.33.20.235:80
    http://www.aieov.com/logo.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.33.20.235:80
    http://www.aieov.com/so.gif
    http
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    334 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/so.gif

    HTTP Response

    403
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    238.187.250.142.in-addr.arpa
    dns
    74 B
    113 B
    1
    1

    DNS Request

    238.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    d3n1ms4uhtqgov.cloudfront.net
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    75 B
    139 B
    1
    1

    DNS Request

    d3n1ms4uhtqgov.cloudfront.net

    DNS Response

    65.9.94.197
    65.9.94.69
    65.9.94.120
    65.9.94.217

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    d1arl2thrafelv.cloudfront.net
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    75 B
    139 B
    1
    1

    DNS Request

    d1arl2thrafelv.cloudfront.net

    DNS Response

    65.9.94.199
    65.9.94.209
    65.9.94.74
    65.9.94.11

  • 8.8.8.8:53
    197.94.9.65.in-addr.arpa
    dns
    70 B
    125 B
    1
    1

    DNS Request

    197.94.9.65.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    www.aieov.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    59 B
    251 B
    1
    1

    DNS Request

    www.aieov.com

    DNS Response

    45.33.20.235
    96.126.123.244
    72.14.178.174
    72.14.185.43
    173.255.194.134
    45.33.2.79
    45.56.79.23
    45.33.30.197
    45.33.18.44
    45.33.23.183
    45.79.19.196
    198.58.118.167

  • 8.8.8.8:53
    199.94.9.65.in-addr.arpa
    dns
    70 B
    125 B
    1
    1

    DNS Request

    199.94.9.65.in-addr.arpa

  • 8.8.8.8:53
    235.20.33.45.in-addr.arpa
    dns
    71 B
    113 B
    1
    1

    DNS Request

    235.20.33.45.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    middledata.ldplayer.net
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    69 B
    185 B
    1
    1

    DNS Request

    middledata.ldplayer.net

    DNS Response

    8.219.48.146
    8.219.136.97
    8.219.4.49

  • 8.8.8.8:53
    146.48.219.8.in-addr.arpa
    dns
    71 B
    142 B
    1
    1

    DNS Request

    146.48.219.8.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • C:\Program Files\Common Files\System\symsrv.dll.000

    Filesize

    175B

    MD5

    1130c911bf5db4b8f7cf9b6f4b457623

    SHA1

    48e734c4bc1a8b5399bff4954e54b268bde9d54c

    SHA256

    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

    SHA512

    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

    Filesize

    67KB

    MD5

    7d5d3e2fcfa5ff53f5ae075ed4327b18

    SHA1

    3905104d8f7ba88b3b34f4997f3948b3183953f6

    SHA256

    e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

    SHA512

    e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

  • memory/2752-34-0x000000000A550000-0x000000000A5EC000-memory.dmp

    Filesize

    624KB

  • memory/2752-36-0x000000000B5A0000-0x000000000BACC000-memory.dmp

    Filesize

    5.2MB

  • memory/2752-23-0x00000000093C0000-0x0000000009964000-memory.dmp

    Filesize

    5.6MB

  • memory/2752-24-0x00000000092D0000-0x0000000009362000-memory.dmp

    Filesize

    584KB

  • memory/2752-33-0x000000000A460000-0x000000000A4A4000-memory.dmp

    Filesize

    272KB

  • memory/2752-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2752-35-0x000000000A5F0000-0x000000000A656000-memory.dmp

    Filesize

    408KB

  • memory/2752-21-0x0000000006670000-0x0000000006684000-memory.dmp

    Filesize

    80KB

  • memory/2752-42-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2752-40-0x00000000003C0000-0x0000000000715000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-48-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2752-22-0x00000000736D0000-0x00000000736E4000-memory.dmp

    Filesize

    80KB

  • memory/2752-54-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2752-53-0x00000000003C0000-0x0000000000715000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-66-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.