Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 04:27

General

  • Target

    bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe

  • Size

    4.2MB

  • MD5

    eb88e6f8885317eec81bbdc0e0182337

  • SHA1

    60c17948ec154ee6e0a7c2cbb0ea67a3897d93a9

  • SHA256

    bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6

  • SHA512

    db95bb7580600d19ad4dafc88388d256434df5f2d2d59d3737641cc13033a0a52f4b5e5e546d67253e713f408cb7267ade0393bc0144f5b2c595383ce700db14

  • SSDEEP

    98304:Pnzz9jK7mk9nrpao6EzIzGePewXbw5Dz99d3ZVUh2WM:bz9UmwP6+YGePPLa99d3/UoWM

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
    "C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe
      "C:\Users\Admin\AppData\Local\Temp\bce8713b3f10847cfc7118eaa18f855ab118dab63725d2c0ddfad449e6fd96e6.exe" elevation
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ezhelp\server\NewWinFunc.dll.dat

    Filesize

    78KB

    MD5

    f0c0860c39170e9523313faf5cd7d631

    SHA1

    981ed36999fdbcccbf4c1fdb34b11c6674c06159

    SHA256

    a14c6134849ddf594efbb3f226cfcc183b10049910a49d9f23164020f0dee9c0

    SHA512

    b6d8e60be9b2d9cf6e12ce0926796bcaa2465da422915ce6e1068667e51259f29d8d3a8c04086c35274679342b5d8b303afac0b89b816b173b38653881be6af8

  • C:\Program Files (x86)\ezhelp\server\ezHelpClientManager.exe

    Filesize

    506KB

    MD5

    0d9e5b2a3abb1585435f9dc2ee2bf6af

    SHA1

    587a599a5dcee6189dab16e5177fac02d923272c

    SHA256

    f8b9ea81517ff23d66bf9805d46f008a4cd1866b9fe51fe46010562a8de0a5af

    SHA512

    04e829f0e72cdfeb30f13e766aab15e945fe84b66e5303cb49d59aa48497567a08e9e7bcc85d4850f4d227a26de1c74a9ce5bbd61e72697b493d1917fcc414b4

  • C:\Users\Admin\AppData\Local\Temp\A1D26E2\B97F7C46BC.tmp

    Filesize

    4.1MB

    MD5

    efc847cb89a2a90c40f8fc6cd0169598

    SHA1

    484e5d3d3d25bf4e678241906f38098006fab3cc

    SHA256

    90552f94c3f3a82f4d65e5fad659ac73ca23a82c15808055fb6180ec72a81e4a

    SHA512

    3cdf641876e5514f96fe0e20f94e3b29f4daffa023ebe01b18c68e4133d937b8f71d9665880cdc42cdefa780c5d75d240453f56887389fc5452bba04793c0225

  • \Program Files (x86)\ezhelp\server\NewWinFunc.dll.tmp

    Filesize

    154KB

    MD5

    6d84eb235614fa7c6c2392bc01aab90a

    SHA1

    0f8f08203c7e8b3b4307312f324fe979fbe1789b

    SHA256

    f82cca1a635dfc62876f915b9859ae35872f8696da31e9e8e61c86dfb9db0054

    SHA512

    d1d917c7f863fb1665f20a474cee7c3d715a6a5a3c86b1380fc4a6cc9b4b19f228d3650e46b76cd5925b41a438785abbc730133cbf5446a2a446ad343a5dce0b

  • \Program Files (x86)\ezhelp\server\ezHelpClientManager.exe.tmp

    Filesize

    583KB

    MD5

    1b0a3ee6d601144768a68d563229b257

    SHA1

    742165c6a775069ee4dbb96b345a6ce448d77e22

    SHA256

    1814987db5d8d340001ed59b4451ff2afa039203495603d921e9d6246c0ea33c

    SHA512

    0e364eebeedbb672fd5d6b0fd6ca7773e0735b8e28999d7f1afc15dbde13de43b411f2ed4512d30abe59ef2ac26470b4c57457588b7f4b154e4d6c2277e224ec

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • memory/868-17-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

    Filesize

    208KB

  • memory/868-15-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/868-67-0x00000000032D0000-0x000000000339A000-memory.dmp

    Filesize

    808KB

  • memory/868-75-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

    Filesize

    208KB

  • memory/868-74-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/1724-0-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

    Filesize

    208KB

  • memory/1724-11-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

    Filesize

    208KB

  • memory/1724-12-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/1724-6-0x0000000000BCC000-0x0000000000BCD000-memory.dmp

    Filesize

    4KB

  • memory/1724-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB