Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2024, 03:52

General

  • Target

    bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe

  • Size

    1.9MB

  • MD5

    1c2240ab88c65121ed052a218fa75c50

  • SHA1

    f6d49211c3944b83f60a8fb2ea1ec1bef48d17ba

  • SHA256

    bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457e

  • SHA512

    b4e6bf889dc80f233a36857b9443ded5e44b67ccc867f338f1c268e8c1f28bb778e30b9493778545e5377be1ae3c6569054737159be352b221759773d87d4506

  • SSDEEP

    49152:+mlFvQqwTRxeW9oqnczOz8Z2pQ0+1uW102xTzVs2Os5la0tsM1:1dwTRcWGOOCan5rOs7td1

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 47 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe
    "C:\Users\Admin\AppData\Local\Temp\bd60a3c80c5d74ebbf5a2d909fdfd6a86a20964572c82853b84226e4b2c3457eN.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2272

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\A1D26E2\E22588C8E0.tmp

          Filesize

          1.8MB

          MD5

          5c446cd4955399c94fe38437d67670a0

          SHA1

          157324884d1c20f796b250bb79ab45c5a754d0ba

          SHA256

          e76369c872d3cc0cb5a71bbb3a05cdfe908b54497cafe75a5ce628bf086773d3

          SHA512

          2a1c51d7bf5db1211cc7e4292d13f272fd31a7851d295c1b7f7f2e2ab1d2111fb5cafbe99c3fe921dd8ea2e4ffdc1ff9ed80f62045d9a7b7678d77befbeca48d

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\CertManagerMB.dll

          Filesize

          1.0MB

          MD5

          f44c463727629428543da74af7c4aa56

          SHA1

          c3925c5326c83366fedb5d899616c23b1eb35686

          SHA256

          8e68aefd40b8bb12a5479cb1c45cae6a228a0c52f200a668a3088eeb0e0637dc

          SHA512

          861cca7892ba39ecef3bfd8fcfe6bb3d2a84de13282c60e191dbe95cbb66a0246692ed9f59c5ff7e36aa8f0e4fd93d74d108045099cc26c30600359b3ae5e7ca

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\DSCToolkitV30.dll

          Filesize

          1.9MB

          MD5

          e5874a2edf0ed6578b89f606263ef61a

          SHA1

          932470e5189664eae901bb3130e10ca605c948c4

          SHA256

          092e9a4f7b350698a6c60ff7b9deb973644161221b14a73875ef9e952ddb96d2

          SHA512

          dae2260472fb33700d032038d808f05a4c4b666afe3cfb0a2fda5e0a09ca93305fc4331c570b001a770a6d9b95a379c3b53ad57dadb7c1688ca656a0c2a4ac8e

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\GPKIProcSession.dll

          Filesize

          86KB

          MD5

          7629e9d7490c8fbb60fbff721fd39bed

          SHA1

          9d0cddb60bd1fda9a31c04d0eecc797ecc4b3f46

          SHA256

          64d3a1ac747e04e1ea14868c50407a8775fabfc002b87b67ef0a57f2d1b70da2

          SHA512

          c2fc9b85d32fba6173d8a1f5d413a061ef2df189fd980434f008c6cfe759a41a8ae57f6642f5e0c4cbd15e6d5275092438db419e1b7f08c40be37d4512f783f3

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\MagicLineMBX.dll

          Filesize

          246KB

          MD5

          2631dc6e62f2d1a82af9cc59a55cb562

          SHA1

          ebd7b0ae4c61a9dcb0bf1629188901ef7fd811e1

          SHA256

          1604537aea8265f97c55d896c9f35d02ba59d96e83e3a7337382c1491d752f80

          SHA512

          6b2fa8e4ade8ba27feb8f64e9c92f91fe190ddd54cb7cb67aa589184ab4a64d7be99f717de602bc3dfe9a76d83583f9176a315193e302710d0d6ab0029112874

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\NFilterOpenWeb.dll

          Filesize

          332KB

          MD5

          6faa15d2e2bac763d9d8a5374913140a

          SHA1

          1eca4d6d8a040ec53dab57767db52e5919dc8ffb

          SHA256

          05faa0e47f950cca98e01e1ddf56c3bc6be85bec8fa344cef7febbb30cf5bfb9

          SHA512

          cdb52b69131d43cf491605ed4790c318364cee2a654b5d7adf878eebbc1c690c96418034d07cf98375a23100c30b68e8cbf6d7c9da9795ef41b88c2ab1b330e4

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\PKICertCls.dll

          Filesize

          459KB

          MD5

          751432e6a01e4d33654c866c6022d532

          SHA1

          213f06b7c34c798db19f82be84f9fc5700f53cd7

          SHA256

          0d59e145424288b8ac04fe788604c1bd5f5340ffb325cf3937c249a11b34e48c

          SHA512

          cc7693dae35578bd4e1703e30007b7df4c0bcc71ff73b46cee6b1e4e7185c28d9fcdb46f73b397bc1b011570ee92943954ed5098bc514b6241e67d502a7fd528

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll

          Filesize

          222KB

          MD5

          548d42f4f74ccca097de9ecbaa067f3f

          SHA1

          7b1a12b3339a052797f42043be335c5a32efe4a4

          SHA256

          a6e6b0b3c6e27e16370fa5dde7544c07c9315fa2a2269514de44000df33e3822

          SHA512

          b1b8bc55422ec31aeb0a44456821e4b1a9c2a08bcbd397f4c4eaa4a282f6f4b9a050c671c228ea6cf122eac883031c1e5d35c779bc2f291186ebe42ca50281a2

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\admctrl.dll.tmp

          Filesize

          299KB

          MD5

          bd3e1fc747aaff04f84a1caa756d71f1

          SHA1

          028e123c771a318d39a29d31034191953503c2f3

          SHA256

          fb2fac601ef045db90a2931abd103ee4018a8c7d4303a4125ad85c28fe4a075c

          SHA512

          d719a68320d65d157ae14c2ded4b318edfc1ee371b68d76854973a8f744b8f0903008f1f1d246c137c4fb07078e63b2c2cad2513269a45d577a129c25ce8eb96

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\httptx.dll

          Filesize

          70KB

          MD5

          925e8fed4e272cfb552d3a6eafc23b34

          SHA1

          e83def94a9cdf40c59cdbd8232cb69db82f15aa1

          SHA256

          4827fb95efa780faf0b5c8a63e6aae6fe0eacd6ddc6d1b2dc3161e246b207aeb

          SHA512

          e2d33e4ea78e36a11466a5fc953a6bb81bb9bc43b7b02da7f483dc2269d4b6b1f9d60088a928baa727ad40d82cf2140ca33d0c570d70dcda51b5a11df19f8593

        • \Program Files (x86)\DreamSecurity\MagicLineMBX\nsldap32v50.dll

          Filesize

          136KB

          MD5

          ec0f6b05f7321ee8c6b4d2c8da487c67

          SHA1

          48b2eb1aa2572f4b7ed5f3de3e119fcb72f40d2e

          SHA256

          0a668e0e6b85202d298ed10c7f17bf07ec778ec323bc63e7dd89fb757346f71f

          SHA512

          d563e4c0ccd459db004c0e5518c706c115cd966d5c4ddb0e1bd64582e69c53146b67dc7b71920521c3837398073db4cb2d0eed577aedcd556adf3db07ae35dab

        • \Program Files\Common Files\System\symsrv.dll

          Filesize

          67KB

          MD5

          7574cf2c64f35161ab1292e2f532aabf

          SHA1

          14ba3fa927a06224dfe587014299e834def4644f

          SHA256

          de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

          SHA512

          4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

        • memory/2272-58-0x0000000002C50000-0x0000000002C89000-memory.dmp

          Filesize

          228KB

        • memory/2272-20-0x0000000003790000-0x0000000003893000-memory.dmp

          Filesize

          1.0MB

        • memory/2272-44-0x0000000002830000-0x0000000002845000-memory.dmp

          Filesize

          84KB

        • memory/2272-51-0x0000000002830000-0x0000000002841000-memory.dmp

          Filesize

          68KB

        • memory/2272-0-0x0000000000403000-0x0000000000404000-memory.dmp

          Filesize

          4KB

        • memory/2272-40-0x0000000002C50000-0x0000000002C73000-memory.dmp

          Filesize

          140KB

        • memory/2272-32-0x0000000003890000-0x00000000038B3000-memory.dmp

          Filesize

          140KB

        • memory/2272-28-0x00000000044E0000-0x00000000046D4000-memory.dmp

          Filesize

          2.0MB

        • memory/2272-92-0x0000000003890000-0x0000000003901000-memory.dmp

          Filesize

          452KB

        • memory/2272-36-0x0000000003890000-0x0000000003A84000-memory.dmp

          Filesize

          2.0MB

        • memory/2272-95-0x0000000003C20000-0x0000000003E14000-memory.dmp

          Filesize

          2.0MB

        • memory/2272-6-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

        • memory/2272-120-0x0000000002C50000-0x0000000002C8D000-memory.dmp

          Filesize

          244KB

        • memory/2272-144-0x0000000002CE0000-0x0000000002CF5000-memory.dmp

          Filesize

          84KB

        • memory/2272-135-0x0000000002CB0000-0x0000000002CD3000-memory.dmp

          Filesize

          140KB

        • memory/2272-128-0x00000000039A0000-0x0000000003A11000-memory.dmp

          Filesize

          452KB

        • memory/2272-124-0x0000000003890000-0x0000000003993000-memory.dmp

          Filesize

          1.0MB

        • memory/2272-4-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB

        • memory/2272-212-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

        • memory/2272-211-0x0000000010000000-0x0000000010030000-memory.dmp

          Filesize

          192KB