floxif | f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bc

Analysis

max time kernel
114s
max time network
54s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
Size

5.6MB
MD5

9b6787e6f99a57eccf8f398403739cb0
SHA1

702d0d70c8dbf1738b6f3ea07ba200f01b9cadbb
SHA256

f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bc
SHA512

fdd177ea85e0573596ca073dbfd2d1c8b5aa2c7bb2348ae6cdc865ad0f1048921b16cc3472ae555c27b1695b57aec16d4955d748519a11a7fdf31b65c5a6159a
SSDEEP

98304:8L3sSBKyVg5fYIq4D6HoYl5fIlPEZszInt4pNFjpJSnGYBzzsEPzdsXxXksFq:88SBBVg1O4D6Hj5idEa6BzwEPzdsXdk5

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000012117-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012117-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2576	Setup.exe

Loads dropped DLL 10 IoCs

pid	Process
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012117-1.dat	upx
behavioral1/memory/2960-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2576-104-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-136-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-138-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2576-142-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-146-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-160-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-167-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2960-178-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2576	Setup.exe
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
Token: SeDebugPrivilege	2576	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30
PID 2960 wrote to memory of 2576	2960	f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe	30

C:\Users\Admin\AppData\Local\Temp\f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe
"C:\Users\Admin\AppData\Local\Temp\f75dff23fb2b4e4dc14644febe08f028ae59e20c77a8f75646198eadd64070bcN.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\772bd026b3bb9f3203ef57ed523425b6\Setup.exe
  C:\772bd026b3bb9f3203ef57ed523425b6\\Setup.exe /x86 /x64 /lcid 2052 /lpredist
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\772bd026b3bb9f3203ef57ed523425b6\1033\LocalizedData.xml

Filesize
80KB

MD5
ffd712ff1645648321ed91117f981017

SHA1
bf53f8ce3a4750b7fc4b6569fc5ef7ea20494450

SHA256
e4ec814ecb215c2f83ab2d6da5ae80d6ebdc015da2ea8f028657f35e632c4540

SHA512
f633fe71f63fd8661174636232ad07e387c38a52dd0dcc0f8573376ca411a61e870d11c95cc537eacc5f381ea372c830814b5c5857848672f2b4469eeafa1533

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\2052\LocalizedData.xml

Filesize
66KB

MD5
65c104ef11a43fd9769667eaab40e909

SHA1
6ec9e9ce3cf09ed5a19b2fdec24e41230e95820b

SHA256
72bdde5ab79018cfe9659bf4cd62752ffc5f20fada6b779a2945506331527e98

SHA512
37a0f2543d6bb3d57b9ef84b96ae27a9ea3f9f39aac8e3e874540e256140c54dfb65fb62638c1745803f014b752d3099ed8ddcc110c5a7122d9392f70640f100

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\ParameterInfo.xml

Filesize
1.2MB

MD5
3e8a593d7b72df3f88a1b0ff872f3780

SHA1
f52ab2ca54f9cd904c48515506f7d1941df91120

SHA256
4dbdedfe819c95d2dd902c2a15f11089369f705ce130239449ae18a4d417ed14

SHA512
91979bcbcc48f35b02178b9060533dc7c827ebede44799a746f94718c6a0aaa6b0c9a1349946c35635e975064f5658876739f5576946dbb385c0b8f270561422

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\SetupEngine.dll

Filesize
901KB

MD5
87125d428eb7b400af6822af0c4e72dd

SHA1
67dc6ef3ae8e32fda9e941d450ae9e0adbcf3982

SHA256
d199d038d59d3b6a219258009635699226d835bf9163357e9458352b6578b157

SHA512
d4ca91b014557827449426d00689f86599a6d7bdd231c358d1666001dfa73d54e199b695a8cb5c21aab7e191b01bdc7e031d6a9288af27b6b271f736d963ceb6

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\SetupUi.dll

Filesize
342KB

MD5
e31641c114d66ea24d79ed4032269dd0

SHA1
911fd6d8e62c61a76a464306f84c9b80e93467aa

SHA256
3b9822668816a77b623258f8036120eaa5da5d74b16aadfc601cb0e513a56461

SHA512
dc7377cadda1bf63c7df267f3313f916a92363004ab8859e6f3a77aa7938d20de0f6857b8842e6424de2749cf6686f35898002054d8f9c4ed4f5775035cec54c

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\SetupUi.xsd

Filesize
31KB

MD5
a9f6a028e93f3f6822eb900ec3fda7ad

SHA1
8ff2e8f36d690a687233dbd2e72d98e16e7ef249

SHA256
aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848

SHA512
1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\SplashScreen.bmp

Filesize
117KB

MD5
bc32088bfaa1c76ba4b56639a2dec592

SHA1
84b47aa37bda0f4cd196bd5f4bd6926a594c5f82

SHA256
b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7

SHA512
4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\UiInfo.xml

Filesize
35KB

MD5
8ace169bf65675c089e0327d5b1f7437

SHA1
43646e29c878f58ac4b5d7c192d11b3becd9e9f6

SHA256
8f7847cfc9ec70b6758f6fbe9b98809ca7bf8ecb25bf9b3a8e7e052b83dfa94b

SHA512
3e98f8351e96bab4b8cecf93e590c722233d119d7cec76445a0b170f69de647bd65eafeafecc8888573e986b3f80403480728c7a1e014961fbd60dc169ca5db7

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\graphics\print.ico

Filesize
123KB

MD5
d39bad9dda7b91613cb29b6bd55f0901

SHA1
6d079df41e31fbc836922c19c5be1a7fc38ac54e

SHA256
d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6

SHA512
fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\graphics\save.ico

Filesize
123KB

MD5
c66bbe8f84496ef85f7af6bed5212cec

SHA1
1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1

SHA256
1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd

SHA512
5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\graphics\setup.ico

Filesize
123KB

MD5
6125f32aa97772afdff2649bd403419b

SHA1
d84da82373b599aed496e0d18901e3affb6cfaca

SHA256
a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5

SHA512
c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\graphics\stop.ico

Filesize
185KB

MD5
7d1bccce4f2ee7c824c6304c4a2f9736

SHA1
2c21bf8281ac211759b1d48c6b1217dd6ddfb870

SHA256
bfb0332df9fa20dea30f0db53ceaa389df2722fd1acf37f40af954237717532d

SHA512
16f9bf72b2ddc2178a6f1b439dedabe36a82c9293e0e64cfaccbf5297786d33025a5e15aa3c4dc00b878b53fe032f0b7ed3dee476d288195fb3f929037bdcdbe

Download Submit
C:\772bd026b3bb9f3203ef57ed523425b6\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
\772bd026b3bb9f3203ef57ed523425b6\2052\SetupResources.dll

Filesize
26KB

MD5
2fe3f8d164676b173eebdc3066d70593

SHA1
6a4e84ab71fe5225ad765804ff12662faa2bb80d

SHA256
655d450043f366037dc7e6129a776ad9a11307bb15616d63069aa84a82d52f1e

SHA512
9328de7c4cebaf0a2a6d93703f1e25fe54fbc72cc29dcbeb794d7d6cabb883a5758e4af700bab054ae9542ea4d94cf426821e6ee73f7dc5f1f1f013b3dc3ab2a

Download Submit
\772bd026b3bb9f3203ef57ed523425b6\Setup.exe

Filesize
125KB

MD5
d8bdc90b8d9c47548b0789b33c93b266

SHA1
e2287110a405c2988f49a61d859455d41eac7215

SHA256
fd54615d479e33197b7a63873e7468f3e2e5467bdd4384d6471b4d8009f13dcf

SHA512
687cdd99c2ce3075b9cbc8f4113fa2245b01c93607bb15396ea26406eca53181998aa124452dbb4681492e29e273bd14a1b427953e59ade17aa27bbbaf249b14

Download Submit
\772bd026b3bb9f3203ef57ed523425b6\SetupEngine.dll.tmp

Filesize
978KB

MD5
c494c5309d2b6007b98c51cd8a10d723

SHA1
0dc769be56d64347683c50a7890d759433993539

SHA256
634446ee8c78d269d43595a913150d12d785f76f5200b0ec5a1d03ae51936da3

SHA512
1b3517dbee529643556218936f510b37ca1875b66908c669f5a5b4969fd1a3d5e22ef07ef919ad328496df95118ed45225d632e44ab679a6d79cd0a4dc9b6832

Download Submit
\772bd026b3bb9f3203ef57ed523425b6\SetupUi.dll.tmp

Filesize
418KB

MD5
eb71c10b72faba7b260d3ef3f4b2f761

SHA1
0bc931f9808bae964963a4d3737f8a3cd4ba0bcb

SHA256
eaf1a52b6dd8109231ff9f792cb0f1e400557156447cc82fc3feeb037a1853fc

SHA512
c1bf711b9aae1cd440dafc4c9f8f7b1ac7e3fd804a752cd5d116cad2406f449cab8b9d4ece3e8ae3678bc9fb69d496a7180f4dc1d8e790d429b298aae1d51839

Download Submit
\772bd026b3bb9f3203ef57ed523425b6\sqmapi.dll.tmp

Filesize
297KB

MD5
722c4b7ee077c83d503d204bfc3a0251

SHA1
a48852cd06058bc4f248deed2bd3822bbc5c86ee

SHA256
740c623dc1a5e27d2b0f484549b50b8c317f1df8b08febb055bb98894b169d7c

SHA512
d3dea51d6d45136d085bbc60ebfcaf96efa0c2dee2fb36536908d393b98e71918e03ab1e510947a175bc53e7e5acef5b71c9be41edfa864b1c9b582c17f545a9

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2576-154-0x0000000074C60000-0x0000000074D41000-memory.dmp

Filesize
900KB

Download
memory/2576-104-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2576-207-0x0000000074570000-0x00000000745C6000-memory.dmp

Filesize
344KB

Download
memory/2576-140-0x0000000074910000-0x0000000074949000-memory.dmp

Filesize
228KB

Download
memory/2576-139-0x0000000074C60000-0x0000000074D41000-memory.dmp

Filesize
900KB

Download
memory/2576-142-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2576-182-0x0000000074570000-0x00000000745C6000-memory.dmp

Filesize
344KB

Download
memory/2960-153-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-137-0x0000000001100000-0x0000000001135000-memory.dmp

Filesize
212KB

Download
memory/2960-160-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-136-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-167-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-178-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-146-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2960-138-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download