Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 10:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
Resource
win7-20240903-en
General
-
Target
2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
-
Size
3.4MB
-
MD5
bc64976c095fb66a8b7ff82692d46d11
-
SHA1
d6beb324e6f6058dd4b3902cd907191ce991bfdf
-
SHA256
2c3d48205a200f13cec47f2b9873f24f07bd41f8884b6713d61d150aa291ad5d
-
SHA512
61eb7f3fab9bac87e2fc0fa9b045cfe58000bc3798b6c663542766d4fd0185ec174c0caaa0b57a4fe9a9bef7cadd53a50b40beabb86630f7b5f00e8965c95828
-
SSDEEP
49152:iZi5Wu7I/Bzfz/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hOq:iI5Wt/BzfzW1t0xOouBiCV2Hp
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023456-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000023456-1.dat acprotect -
Loads dropped DLL 4 IoCs
pid Process 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe -
resource yara_rule behavioral2/memory/2752-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/files/0x0008000000023456-1.dat upx behavioral2/memory/2752-42-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2752-48-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2752-54-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2752-66-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe Token: SeDebugPrivilege 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe Token: SeShutdownPrivilege 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe Token: SeCreatePagefilePrivilege 2752 2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request238.187.250.142.in-addr.arpaIN PTRResponse238.187.250.142.in-addr.arpaIN PTRlhr25s34-in-f141e100net
-
DNSd3n1ms4uhtqgov.cloudfront.net2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:8.8.8.8:53Requestd3n1ms4uhtqgov.cloudfront.netIN AResponsed3n1ms4uhtqgov.cloudfront.netIN A65.9.94.197d3n1ms4uhtqgov.cloudfront.netIN A65.9.94.69d3n1ms4uhtqgov.cloudfront.netIN A65.9.94.120d3n1ms4uhtqgov.cloudfront.netIN A65.9.94.217
-
GEThttps://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.7372024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:65.9.94.197:443RequestGET /latest/il/v4.743.229.737 HTTP/1.1
Host: d3n1ms4uhtqgov.cloudfront.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 258064
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: private, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0
Content-Disposition: attachment; filename="ds."; filename*=UTF-8''ds.
Content-Transfer-Encoding: binary
Date: Mon, 30 Sep 2024 10:30:34 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: public
X-Cache: Miss from cloudfront
Via: 1.1 8197d89da72990bb606996d5e7c73ab6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
X-Amz-Cf-Id: mdmIhi_h3NmcDuQFa_F1Xp--qBfhQSVIJ2t69JE6-11Ry3bH7yvGXg==
Age: 0
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
DNSd1arl2thrafelv.cloudfront.net2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:8.8.8.8:53Requestd1arl2thrafelv.cloudfront.netIN AResponsed1arl2thrafelv.cloudfront.netIN A65.9.94.199d1arl2thrafelv.cloudfront.netIN A65.9.94.209d1arl2thrafelv.cloudfront.netIN A65.9.94.74d1arl2thrafelv.cloudfront.netIN A65.9.94.11
-
POSThttps://d1arl2thrafelv.cloudfront.net/sec2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:65.9.94.199:443RequestPOST /sec HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: d1arl2thrafelv.cloudfront.net
Content-Length: 330
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 8335
Connection: keep-alive
Server: awselb/2.0
Date: Mon, 30 Sep 2024 10:30:35 GMT
cache-control: no-cache
content-encoding: gzip
x-true-request-id: ba590b88-4906-4e38-a4ea-01a53e32d289
x-robots-tag: none
expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Cache: Miss from cloudfront
Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
X-Amz-Cf-Id: yOBPwV5TSrYZtQF5qm-QpTRKuQAC2_wOFzbGoidviO49XZPq_mnyAg==
-
GEThttps://d1arl2thrafelv.cloudfront.net/assets/schema/1.0/schema.xsd2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:65.9.94.199:443RequestGET /assets/schema/1.0/schema.xsd HTTP/1.1
Host: d1arl2thrafelv.cloudfront.net
ResponseHTTP/1.1 200 OK
Content-Length: 19119
Connection: keep-alive
Date: Mon, 30 Sep 2024 02:06:54 GMT
Last-Modified: Wed, 27 Apr 2022 09:06:59 GMT
ETag: "5e1c250d9911739c9c67a19ed52c282e"
x-amz-version-id: 8OO7E0W1zhNgufbqkR3QVyi2FdJBzWmI
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
X-Amz-Cf-Id: NaLGTM0WhCw9Mr3UJkF1yMYNDE93KeRl6fxMu4FcI_ph5tbpNCVwsA==
Age: 30222
-
GEThttps://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:65.9.94.199:443RequestGET /assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.png HTTP/1.1
Host: d1arl2thrafelv.cloudfront.net
ResponseHTTP/1.1 200 OK
Content-Length: 52351
Connection: keep-alive
Date: Mon, 30 Sep 2024 04:38:53 GMT
Last-Modified: Wed, 09 Feb 2022 14:02:19 GMT
ETag: "a4ddc01527ea03fe7860a551c4b98def"
x-amz-meta-cb-modifiedtime: Wed, 09 Feb 2022 13:30:15 GMT
x-amz-version-id: MF8OfEOgboViPhGswB2g9Y9Ltzmexd8P
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 93fcd07b66eaf26b036f14e2ec9d73ea.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
X-Amz-Cf-Id: Ssx7AvJDDMHLIDeM6KVXqJnt01rAKPgquHd7butQP6AYa6rjIU1A8Q==
Age: 21102
-
Remote address:8.8.8.8:53Request197.94.9.65.in-addr.arpaIN PTRResponse197.94.9.65.in-addr.arpaIN PTRserver-65-9-94-197prg50r cloudfrontnet
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.aieov.comIN AResponsewww.aieov.comIN A45.33.20.235www.aieov.comIN A96.126.123.244www.aieov.comIN A72.14.178.174www.aieov.comIN A72.14.185.43www.aieov.comIN A173.255.194.134www.aieov.comIN A45.33.2.79www.aieov.comIN A45.56.79.23www.aieov.comIN A45.33.30.197www.aieov.comIN A45.33.18.44www.aieov.comIN A45.33.23.183www.aieov.comIN A45.79.19.196www.aieov.comIN A198.58.118.167
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:35 GMT
content-type: text/html
content-length: 175
connection: close
-
GEThttps://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.png2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:65.9.94.199:443RequestGET /assets/WebAdvisor/images/943/darkBG/EN.png HTTP/1.1
Host: d1arl2thrafelv.cloudfront.net
ResponseHTTP/1.1 200 OK
Content-Length: 41518
Connection: keep-alive
Date: Mon, 30 Sep 2024 03:11:18 GMT
Last-Modified: Wed, 23 Nov 2022 15:47:19 GMT
ETag: "e9a21c273edd34746bfd51c2b7ec342a"
x-amz-version-id: kp6HZavFYfH51EskSFyLu0ue1tBxqY6q
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 7bb80b5d9f75710222feac15033d6af0.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: PRG50-C1
X-Amz-Cf-Id: l6PcqZ6qcoLu_D6coonprnOTbniJ5uIOWDHROIJt6TJiomj7bf4ijw==
Age: 26358
-
Remote address:8.8.8.8:53Request199.94.9.65.in-addr.arpaIN PTRResponse199.94.9.65.in-addr.arpaIN PTRserver-65-9-94-199prg50r cloudfrontnet
-
Remote address:8.8.8.8:53Request235.20.33.45.in-addr.arpaIN PTRResponse235.20.33.45.in-addr.arpaIN PTRli974-235memberslinodecom
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:40 GMT
content-type: text/html
content-length: 175
connection: close
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:44 GMT
content-type: text/html
content-length: 175
connection: close
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:49 GMT
content-type: text/html
content-length: 175
connection: close
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:53 GMT
content-type: text/html
content-length: 175
connection: close
-
DNSmiddledata.ldplayer.net2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:8.8.8.8:53Requestmiddledata.ldplayer.netIN AResponsemiddledata.ldplayer.netIN CNAMEalb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.comalb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.comIN A8.219.48.146alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.comIN A8.219.136.97alb-vnsvd2pytinqdbj862.ap-southeast-1.alb.aliyuncs.comIN A8.219.4.49
-
POSThttps://middledata.ldplayer.net/collection/biz/upload2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:8.219.48.146:443RequestPOST /collection/biz/upload HTTP/1.1
Host: middledata.ldplayer.net
Accept: */*
Content-Type:application/json;charset=UTF-8
timestamp: 1727692252218
signature: 34342d18
Content-Length: 456
ResponseHTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
-
Remote address:8.8.8.8:53Request146.48.219.8.in-addr.arpaIN PTRResponse
-
GEThttp://www.aieov.com/logo.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:30:58 GMT
content-type: text/html
content-length: 175
connection: close
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request5isohu.comIN AResponse
-
GEThttp://www.aieov.com/so.gif2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exeRemote address:45.33.20.235:80RequestGET /so.gif HTTP/1.1
Accept: */*
Host: www.aieov.com
ResponseHTTP/1.1 403 Forbidden
date: Mon, 30 Sep 2024 10:32:59 GMT
content-type: text/html
content-length: 175
connection: close
-
65.9.94.197:443https://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.737tls, http2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe5.3kB 272.9kB 106 203
HTTP Request
GET https://d3n1ms4uhtqgov.cloudfront.net/latest/il/v4.743.229.737HTTP Response
200 -
65.9.94.199:443https://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.pngtls, http2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe3.2kB 90.2kB 43 74
HTTP Request
POST https://d1arl2thrafelv.cloudfront.net/secHTTP Response
200HTTP Request
GET https://d1arl2thrafelv.cloudfront.net/assets/schema/1.0/schema.xsdHTTP Response
200HTTP Request
GET https://d1arl2thrafelv.cloudfront.net/assets/RAV/images/DOT_RAV_Bisli_Logo_bcg_V2/DOTPS-588/darkBG/EN.pngHTTP Response
200 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
65.9.94.199:443https://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.pngtls, http2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe1.5kB 43.8kB 22 37
HTTP Request
GET https://d1arl2thrafelv.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.pngHTTP Response
200 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
8.219.48.146:443https://middledata.ldplayer.net/collection/biz/uploadtls, http2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe1.4kB 4.9kB 10 10
HTTP Request
POST https://middledata.ldplayer.net/collection/biz/uploadHTTP Response
200 -
45.33.20.235:80http://www.aieov.com/logo.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe336 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/logo.gifHTTP Response
403 -
45.33.20.235:80http://www.aieov.com/so.gifhttp2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe334 B 503 B 6 4
HTTP Request
GET http://www.aieov.com/so.gifHTTP Response
403
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 113 B 1 1
DNS Request
238.187.250.142.in-addr.arpa
-
8.8.8.8:53d3n1ms4uhtqgov.cloudfront.netdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe75 B 139 B 1 1
DNS Request
d3n1ms4uhtqgov.cloudfront.net
DNS Response
65.9.94.19765.9.94.6965.9.94.12065.9.94.217
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
-
8.8.8.8:53d1arl2thrafelv.cloudfront.netdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe75 B 139 B 1 1
DNS Request
d1arl2thrafelv.cloudfront.net
DNS Response
65.9.94.19965.9.94.20965.9.94.7465.9.94.11
-
70 B 125 B 1 1
DNS Request
197.94.9.65.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53www.aieov.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe59 B 251 B 1 1
DNS Request
www.aieov.com
DNS Response
45.33.20.23596.126.123.24472.14.178.17472.14.185.43173.255.194.13445.33.2.7945.56.79.2345.33.30.19745.33.18.4445.33.23.18345.79.19.196198.58.118.167
-
70 B 125 B 1 1
DNS Request
199.94.9.65.in-addr.arpa
-
71 B 113 B 1 1
DNS Request
235.20.33.45.in-addr.arpa
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
-
8.8.8.8:53middledata.ldplayer.netdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe69 B 185 B 1 1
DNS Request
middledata.ldplayer.net
DNS Response
8.219.48.1468.219.136.978.219.4.49
-
71 B 142 B 1 1
DNS Request
146.48.219.8.in-addr.arpa
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
8.8.8.8:535isohu.comdns2024-09-30_bc64976c095fb66a8b7ff82692d46d11_bkransomware_floxif_hijackloader.exe56 B 117 B 1 1
DNS Request
5isohu.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
67KB
MD57d5d3e2fcfa5ff53f5ae075ed4327b18
SHA13905104d8f7ba88b3b34f4997f3948b3183953f6
SHA256e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4
SHA512e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589