floxif | d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c

Analysis

max time kernel
147s
max time network
132s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Size

2.8MB
MD5

6f416a2a05246c3049ea9070e28e01d3
SHA1

506e664bf51923b3e784d235807d2aa88b812251
SHA256

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c
SHA512

b575b89f4fe815ea0055e1f94502ee8f0127142755e4b8feeb56f0891c4e87d011b06da46d1dfdced3b17951efe5ee5dfc36e225634e3f8f75565fbfb86f48f6
SSDEEP

24576:xwPKcqaCbuHDZS2Xqbzsbx+80kL1y4/pCb9vEYhqKDhQBz8NA66W8MXPnAhnAGnb:yv7Cq1SfzIx+4JdWEim8ALWXXYWbbbW

Score

10^/10

floxif neshta backdoor discovery evasion persistence spyware trojan upx

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000195af-12.dat	family_neshta

Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies firewall policy service 3 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

MusaLLaT.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP = "139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP = "445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP = "137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"	MusaLLaT.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP = "138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"	MusaLLaT.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

MusaLLaT.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	MusaLLaT.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

MusaLLaT.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "2"	MusaLLaT.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral1/files/0x0003000000018334-2.dat	floxif

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

MusaLLaT.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	MusaLLaT.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

Processes:

MusaLLaT.exe

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	MusaLLaT.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MusaLLaT.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Sr\ImagePath = "\\SystemRoot\\system32\\DRIVERS\\sr.sys"	MusaLLaT.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x0003000000018334-2.dat	acprotect

Executes dropped EXE 1 IoCs

Processes:

MusaLLaT.exe

pid	Process
2800	MusaLLaT.exe

Loads dropped DLL 3 IoCs

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

pid	Process
1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

MusaLLaT.exed7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	MusaLLaT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MusaLLaT.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MusaLLaT = "C:\\Users\\Admin\\AppData\\Roaming\\MusaLLaT.exe"	MusaLLaT.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1064-0-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral1/memory/1064-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0003000000018334-2.dat	upx
behavioral1/files/0x00070000000195af-12.dat	upx
behavioral1/memory/2800-23-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral1/memory/1064-29-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1064-28-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral1/memory/2800-33-0x0000000000400000-0x00000000004A7000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MusaLLaT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MusaLLaT.exe

pid	Process
2800	MusaLLaT.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

description	pid	Process
Token: SeDebugPrivilege	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Token: SeBackupPrivilege	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
Token: SeBackupPrivilege	2800	MusaLLaT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exeMusaLLaT.exe

pid	Process
1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
2800	MusaLLaT.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

description	pid	Process	procid_target
PID 1064 wrote to memory of 2800	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe	30
PID 1064 wrote to memory of 2800	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe	30
PID 1064 wrote to memory of 2800	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe	30
PID 1064 wrote to memory of 2800	1064	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

MusaLLaT.exed7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusaLLaT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe

C:\Users\Admin\AppData\Local\Temp\d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe
"C:\Users\Admin\AppData\Local\Temp\d7c9e99805f8135f67adba0344f04bd4eabad5b2ea57f7a9ddf204674c686c5c.exe"
1⤵
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064
- C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MusaLLaT.exe

Filesize
2.8MB

MD5
df34658e40c632c826e461dd9fdd7de1

SHA1
3463ca70be5bda34397a3a784056f7cc55f04295

SHA256
080b3e0aa96038e9d35dd80848910d130da21a48761e975db80508642e631a0f

SHA512
2b2eef37b51b7d1677d540b5860ff6bbd70bcac0e345b5f9af2bf79e084c4cb194e57efa7f86dffb603d917ab6b9b4ff93b4be5a43dced38bdbe14f2fababbf4

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/1064-0-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1064-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1064-21-0x00000000034B0000-0x0000000003557000-memory.dmp

Filesize
668KB

Download
memory/1064-20-0x00000000034B0000-0x0000000003557000-memory.dmp

Filesize
668KB

Download
memory/1064-29-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1064-28-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2800-23-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2800-33-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download