Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 19:17

General

  • Target

    2024-10-30_c537aee2c20492ba69fb84bda89f4adb_floxif_icedid.exe

  • Size

    2.2MB

  • MD5

    c537aee2c20492ba69fb84bda89f4adb

  • SHA1

    d2f5de54b5a140a8f8d9890c34a38a4a3e9d8f45

  • SHA256

    d1f59bba8890d3d92243433d8bd637b3384261a0eefc66b3736380ef067ce5af

  • SHA512

    82592ce5e264edb5758a68040e336ab48d49475dcc3fcf5a2571b7e8d15bf417fea253d6637976de60bbc9f9bd08cdb916b95218e671315932c50ef8958e98a8

  • SSDEEP

    24576:z66nUmCMpufdsUcH3wJhraR7VGZlZEywiKlB2d1Bss/QtbqaFvTbKYtYWX4+33Ik:zPnpjSRcgQGZlZLTdD/QprTbrrInKOy

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 33 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-30_c537aee2c20492ba69fb84bda89f4adb_floxif_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-30_c537aee2c20492ba69fb84bda89f4adb_floxif_icedid.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2080.log
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      • Suspicious use of AdjustPrivilegeToken
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2080.log

    Filesize

    783B

    MD5

    eaa79fc0f5c77cdb0536c690dbd866cf

    SHA1

    0475d6eef3249cd6358f017c32c96d702aa51d3c

    SHA256

    e027f5b0b2ceb08d7ac1bf1ca7c17b47edd02a957bb34ddea1f747fcae1aa460

    SHA512

    46733e38f68f89abd3a4f0e73a6da8ae3b3a91f5fcf15819ef8df92cbf98f02274315598d5fadb57cfa3affa7c7b53824aadbdedd88ec99ac03b3d2de97ac0d6

  • C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2080.log

    Filesize

    1KB

    MD5

    f6f00e65e6b0d7ce89bb2029027d958e

    SHA1

    3b6c6d27fb2f125ae1a9512e14bf9517d21bd67f

    SHA256

    8f85c40457f5b92c6fbc39c1f0c35eba7d84d36e355fcb4c9a83cf81ac8fba2b

    SHA512

    b33113fa63d7daa654dc45076da42eb277de5e6f10897160ed3efe508b125d6b297cc21525589aeb9af6df71dc99b20257e9c6d6c7e51e69f32c7a81b813c47a

  • C:\Users\Admin\AppData\Local\Temp\cpuz_driver_2080.log

    Filesize

    1KB

    MD5

    9d9897c41a092c264c2f8d9c1b968348

    SHA1

    8de79412cb234413380f8114a1ed71b518187b76

    SHA256

    1611c924820b72601f9a8a53322f94a8989e6b7bc649ddb3cc65b956019dfc33

    SHA512

    b8b5cbea6786681dec71b95b37f8909e94e26acc56bcfaf0d41167285d8b7577c4953fec1b93a0427ebc0ac3373c4641687ea430f570d77111e2020c421bbffd

  • memory/2080-47-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2080-54-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-78-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-35-0x00000000764C5000-0x00000000764C6000-memory.dmp

    Filesize

    4KB

  • memory/2080-45-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-44-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2080-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2080-48-0x00000000764C5000-0x00000000764C6000-memory.dmp

    Filesize

    4KB

  • memory/2080-51-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-36-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-77-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2080-59-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-70-0x00000000764B0000-0x0000000076513000-memory.dmp

    Filesize

    396KB

  • memory/2080-69-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/3412-63-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/3412-57-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/3412-40-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB