floxif | a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42ba

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
Size

3.5MB
MD5

f9bda3f2a3152e366a79250881d0f560
SHA1

ebfe05d79f0f24bc4a570e8a612045ffc5f95f9a
SHA256

a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42ba
SHA512

dab51eae63e47a7760ecddbdb30800ea1b5e4ac096177ebf3000c2274c06556e5abc279a2604393804a43b2173fb82b5ad5bdf386000e4167e54fef9518b0174
SSDEEP

98304:FuZwzjch2Mvj39QKU7vMtyeW04Riio4kbMyunx:hzYhvz9QKU7vLiioLfunx

Score

10^/10

floxif backdoor bootkit discovery persistence trojan upx

Malware Config

Signatures

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x00090000000234dd-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000234dd-1.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Executes dropped EXE 1 IoCs

pid	Process
628	DiskGenius.exe

Loads dropped DLL 23 IoCs

pid	Process
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x00090000000234dd-1.dat	upx
behavioral2/memory/1396-126-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1396-127-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1396-133-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1396-139-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1396-149-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1396-151-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiskGenius.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
628	DiskGenius.exe
628	DiskGenius.exe
628	DiskGenius.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 628	1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe	82
PID 1396 wrote to memory of 628	1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe	82
PID 1396 wrote to memory of 628	1396	a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe	82

C:\Users\Admin\AppData\Local\Temp\a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe
"C:\Users\Admin\AppData\Local\Temp\a96e85c838f68ed8508a8d79148ba4f237a5b9e2ed8d7bdd1dba1281fb8c42baN.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\DiskGenius.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DiskGenius.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp

Filesize
589KB

MD5
164486e4493e455445274bd1a77d4f0e

SHA1
962e8b63467823a8b986f3d2b16ce2984aceb4e3

SHA256
a34797bb1008c61ee7b41a4d5faf7c1b02e16a0e774532b586fa6714f1fb7e71

SHA512
664797097db733528cc5285ab8f96acaaaf7942c03f3c1775dfc31e253838f3168db8270e523c268a30c15e37ea2cee4cad684c33ea582f833762a5090ed705a

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp

Filesize
589KB

MD5
f45aa0c1ed1aadb66004d7d413054137

SHA1
89a1dccf5c1c0e3ec9bb9907e50d7ece0f16ac89

SHA256
b08092c35d3f84481ebcd9f3a4b8e8922afe83eb1680e208f9f27aaec420c0d8

SHA512
d451a58c6fa68f1ef4ad450e336f968880f3aba459d9ce6ffc63ab30b2cb594e7488ab149dab3e2d0d35586b99ff79ddc2f98d0710aef4ff64ca4ea17be9039d

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Barray.dll

Filesize
52KB

MD5
c457da58a321250b5ecbc401256e3c1f

SHA1
9f2b226d0a0b8de4d43ecb855a347132d3f36c79

SHA256
c0e92becb7ba07fc4f7f68e7512a9b08cb2ebe07901b23f93ea11d5f81a3a6f0

SHA512
d37fb3f040a3b148ba23efa882f63e3963a015b824ce4889bdfe2b8614399042151ded2c675f5b02c9e5e525543f046edef92f029e232a73aff0c43ac1bf39d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Barray.dll.tmp

Filesize
128KB

MD5
367629f30957bfc1cc2f2f003419ac54

SHA1
f1e703fe53725f6e64851ce1b89462c2e89f677d

SHA256
2596cd5d812b81eff9342c00c0a71339a13209cae9477deef9498a51d142b1fb

SHA512
fbffce0e282f308c05aed1f97785ded07a265218d7bae825f981fea5576ed800e2dd33e60b6aec726cb3d964c7ed3a3d0770d6e446ea629ca6043c12ded8efe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Charset.dll

Filesize
44KB

MD5
7ae966c943f2eeba62114b1cee1c9c17

SHA1
1493284cf0f12e590e01c61bd0b61676fce6de97

SHA256
5d12e801ad80edebb5c7458cf1fae7a4736f45ae499b0afbe97d57c74d1cf3ec

SHA512
b88ec7832d0087256dcef050f5eef85c8f89e4662f11dc93a9d4fe7f82da688e20d6eb1f0a7a743c5e575cb6759d702805570e85bee4748543b40cb08e2bf2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DiskGenius.exe

Filesize
1.7MB

MD5
befddc5b5f9d8880a0572517dc879f68

SHA1
5982b22f7bbdc26bd6f1be7c29af574728a9cb72

SHA256
73306b03527380a9ad62bdea718ac575015c406a39b700de0245d4c36889e1c9

SHA512
4f6a7c169ba3d11d9cc4ef9823b3105ee9db43fbb769a098708ad66a5a7e7941563da3e4fc3b0982879bd15e8494befb494687e675c2407869acf71c813b30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hdrw.dll

Filesize
1.1MB

MD5
9f571c895d37786aebe10718c87239fa

SHA1
ebe93d867efd0bf63c02914e86f4949bb0fdb717

SHA256
90ffecc5b22a15dcac5ce403cdb144a89e67093db7f67c934753a8244b5bdd74

SHA512
737d350e9db8d5365da2fe51c2e244e5074f632351a015a538fe427f30c2c3c3379425c2d06c4efa62a28038bde5f8873cb8fc0ddad09be5473097c174364850

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HdrwImg.dll

Filesize
56KB

MD5
bf3989c0c12c44b93a24394aa2e88c3b

SHA1
b6bbd18b4cb0fe8cf85205f6f5cab4b74d334aa5

SHA256
91b7bd7969676113a8215e4d2d5cb91cc40bf41c4967fc3306ec54330d6e1df1

SHA512
966fb64d61ec04e13e29e04f4c27e0af516a7345241b6621bc24260fb7cde9b77f99a99e6ca9d2b20fceb97534e8159d585d6356e68a6fe97503365b5d47802d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hdrwnt.dll

Filesize
88KB

MD5
772b9ba75742f00221ee8b3a0b844f3f

SHA1
212be64729fb52048912dba9be8e678c87a8810f

SHA256
9cfb657a71c6a71c9e8e200c64a449807df9c0082044469240dbb78de5f69389

SHA512
bd5572048306cd46c202ab3b3608a85a16b42fb4d8737feef77d3b42cefb936deebddfa07f2be96aab5f5305b54df54fa631006d24256ee28b8425a7d578f405

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hdrwvm.dll

Filesize
96KB

MD5
8a735f4ad3762e2e0a20028fc261d7d9

SHA1
90a8033a5d8de3c0f777278ea7eeb090435e7d78

SHA256
9673e5487a6bf519f6efab920a524b24f49df3ccde7eebb79480f8a82b60cba1

SHA512
f8d0dc6c14703e8b2b03fdb64bcdce6e2e3a0e2e736242645d5a75e20f861c683c6ca283e4c79bc77575690a942531e92b8dbd14fe0e978d951cfbfdcd2e54cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IniCfg.dll

Filesize
68KB

MD5
5c902ee3026c50e259f3ae959728fb2e

SHA1
f36200e489835193fd471d537d91f9be5da1b7ff

SHA256
b7bd5d7a6044dc3f7bdc744a002925244f99bd336474ee6511c9f759d0aa6b8d

SHA512
0f9012c9097d7e809dd993a430a103a64414b7fc903bddda4cc0c4696977f68ce85ab137f042c442e8623d0fe446c7cc84125cde31105c6f40e0075fc0c29b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LangEng.dll

Filesize
812KB

MD5
fdb0a68b2139e0127a0f2f6cf9eac6ed

SHA1
5157fcb8a31a1428e5c6e68c393559ef308bbf5a

SHA256
29e38b70e03ce30013f052e6ce89b81255841c55547d8d82e320d68084d8f7f2

SHA512
5b9b042f401be6a653fa6ad1fd822a370b5234351fc206b3d64cd75493ccc78a4b5d0a904dd4675ea5c5429e60416dccddc5c0f4443ac624c6d128134282f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.dll

Filesize
92KB

MD5
9da3dd3465443572681245d496442532

SHA1
e1598d23776b1b98fe46fca0b98d6c62b28ddda9

SHA256
fac17ece8cfba6fec8390e6457bcfadb0dc7316c672e59b5d0227c62ae133263

SHA512
606100b4cd6bb8bd58c9de0cc731e8528967088808f68248439767c9b8cdfb04bc1819fea402baadad8c5e859b33efaa822b4ae6bb9268117b7b522a8383b9c4

Download Submit
memory/628-85-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/628-78-0x0000000002380000-0x00000000024AB000-memory.dmp

Filesize
1.2MB

Download
memory/628-103-0x0000000002690000-0x00000000026AA000-memory.dmp

Filesize
104KB

Download
memory/628-88-0x0000000002380000-0x00000000024AB000-memory.dmp

Filesize
1.2MB

Download
memory/628-92-0x0000000002580000-0x0000000002599000-memory.dmp

Filesize
100KB

Download
memory/628-76-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/628-128-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/628-96-0x0000000000790000-0x000000000079F000-memory.dmp

Filesize
60KB

Download
memory/628-84-0x0000000000770000-0x0000000000783000-memory.dmp

Filesize
76KB

Download
memory/628-87-0x00000000024B0000-0x00000000024DE000-memory.dmp

Filesize
184KB

Download
memory/1396-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-126-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-127-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-133-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-6-0x0000000000405000-0x0000000000408000-memory.dmp

Filesize
12KB

Download
memory/1396-139-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-149-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1396-151-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download