Analysis

  • max time kernel
    118s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:52

General

  • Target

    14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

  • Size

    5.8MB

  • MD5

    c5ef60a303d415772ed3c3445b45d690

  • SHA1

    092298141ece7234ebded0500dadbbf5c05fb24e

  • SHA256

    14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8

  • SHA512

    f1c07b789e7d190b03bceb367937b2530910d98f83cdc9bf3b5f7c80a13509dea0e6b71136deeb5cd4a559826456bec7304cc6ce9b88b687a88399cdbc3a1052

  • SSDEEP

    98304:SvcBPAQeGPUP471te18frP3wbzWFimaI7dlot1:SSoQ9/1dgbzWFimaI7dlo1

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • A potential corporate email address has been identified in the URL: [email protected]
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
    "C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1428
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.0.650493998\1338513965" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97ab5ab-cdc3-4717-a1f8-edcceafcde11} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1288 127f3e58 gpu
          4⤵
            PID:2816
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.1.2058340583\1441439140" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae40625-26d3-4d15-8ce4-9816fcedaf36} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 1504 f6fe58 socket
            4⤵
              PID:1952
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.2.1098539955\584139531" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db524ad8-d181-49f1-aaf6-92fd11028910} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2176 1adad758 tab
              4⤵
                PID:2772
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.3.1501579381\652999859" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00799068-0114-4da1-986c-cbf16b4bf6aa} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2824 1df84a58 tab
                4⤵
                  PID:1852
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.4.828641871\1565578770" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3712 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e93ea8-bc2e-47cb-8067-23f790ace86d} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3724 1f74c258 tab
                  4⤵
                    PID:2756
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.5.246731019\1536465589" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cac9240d-6ed2-46a8-a978-b2574b77fa1a} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3820 1f74fb58 tab
                    4⤵
                      PID:2172
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.6.72649514\701880406" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3840 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f51bffc2-1c0a-4d47-947c-f5ebfe48c7d6} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 3884 1f74f558 tab
                      4⤵
                        PID:2796
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2800.7.14676614\1244772850" -childID 6 -isForBrowser -prefsHandle 1708 -prefMapHandle 2736 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9c571c0-81f5-4225-a262-cc262570a32e} 2800 "\\.\pipe\gecko-crash-server-pipe.2800" 2084 22636158 tab
                        4⤵
                          PID:2420
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:904
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2400
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2884
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2176

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Common Files\System\symsrv.dll.000

                    Filesize

                    175B

                    MD5

                    1130c911bf5db4b8f7cf9b6f4b457623

                    SHA1

                    48e734c4bc1a8b5399bff4954e54b268bde9d54c

                    SHA256

                    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

                    SHA512

                    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    23KB

                    MD5

                    2bae4b1b5ae9107e640b7a9c7e91a8a9

                    SHA1

                    481790ea18a5975aacbeea7710da4a40d10a6a7c

                    SHA256

                    06d489a3f7e4a40fcc33bc35954f4a3b96ac822aa42d8a47e186894084e0da02

                    SHA512

                    e40bd3f94268c484e39b9bcf96d6623d8528f74e430486c8e1696942a922cdd264b93980e2d5b8b1e6cde84300c58444b55d686a7ff53aa12ef1d8b7e0dd4c2b

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                    Filesize

                    13KB

                    MD5

                    f99b4984bd93547ff4ab09d35b9ed6d5

                    SHA1

                    73bf4d313cb094bb6ead04460da9547106794007

                    SHA256

                    402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                    SHA512

                    cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    9b3cd85656b476874b8696ffc1cf5a71

                    SHA1

                    2b114161a6fca625b8e184c1ac372106b0488ed8

                    SHA256

                    45925dd65cfaa4936aba19e040c0a4da50c2579b751e4d13ccb62f99ab456c8d

                    SHA512

                    ffbf519974496bc591605bed2702b82e5a96765c7955cc9e1e00734ba69b631edb06a87f466f3e826a3206f54784833df3a994180f491b5ce096ed1748000461

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c8fbe872-f64b-4b62-b16a-4b748543a41c

                    Filesize

                    745B

                    MD5

                    8799e37a0eab546e383c197d035c99cb

                    SHA1

                    c6a3a7d595d9544d8d9d5508d11cc1b8fe0215b6

                    SHA256

                    ec9931ab159771e5a915ceb1ecdf33f637cee3d73db6c24a47f1f99f21cbf39a

                    SHA512

                    6022075a9614df3cafdedf73c237cd53fe131f9e5a2c0ad24cce905dc0ed71ec535c1ca27c51c74c3355694be763e2aa7e8ab19811c972ee28612f5f8498cebb

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\d5cf5003-91c6-43a0-b04b-5a39c2959468

                    Filesize

                    12KB

                    MD5

                    49919acb3ccf6ee504a4666a59407531

                    SHA1

                    c9819f43aeddbb9e6430f4cde6637cef0f93814f

                    SHA256

                    e510fb9c2f48f3db53e276c347f091850aa5976ff997963808b9191279fa070d

                    SHA512

                    a2792ae1ccf7b87f20389e1b05d8d52601c271f49d6bd7511910fd456b47b436aaa2c7df7e9e82136bc62494733afe0539f48422b9a3c7542aeb6a8a7dad095e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    5ecc2075f89d1af9a048f685ed4aaf74

                    SHA1

                    c26150e3155740b1edfcbde3c8997d026e5fcba1

                    SHA256

                    98eb9bc3d28e1ad776c322db160963466bb286498a8154b850c4fe0b38459d99

                    SHA512

                    842ead01a62d362639ed8a11b847c4ea4192de7b0d7f7a7c2d7b2ea4bad38b4381a917872e07a026740f1f640f2ac1158bf358a124ccd798aa894b05dbfa6f88

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    6146b3a78dc721c28394a15192b45d0c

                    SHA1

                    9094776e157f4c76ad3bc9462bf2339bbbeaa71d

                    SHA256

                    439d74f1803053d9ac12fa08d6761e354128a01235b08e7efc224cb638708c2f

                    SHA512

                    57af617eeb84e9f30b9233a21895bf54fc75902958acc208752dc6a261200660a33641d8627e58f3df8600e2d87b8a7d244b24f0b1d01364b4eb559957bbf050

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    6e34dea690012baa0636b34421fd611d

                    SHA1

                    3bf8b0601062391fa176aefd26f29827d94279a2

                    SHA256

                    2ca2058fd45af2612d16faa8c371f9a2cdb4fcfed2bc6bb5ec5868d3dec71128

                    SHA512

                    a849ec4e60d8f4aae4988774e297e472b34fde4f5636aa29e13f3fabbc83e12174c3ec2c0270a901f88ccc52d494e32f32d8326bbf7c8a83be1265dde60dabe9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    7c8c90b23e7d396c0921eede543cce71

                    SHA1

                    1bb5e384327a881d10edb7d6d116e41d0e27ad29

                    SHA256

                    39e3d7474e976f0059f925da7488db96c4d031e8985f83c447f6a4d7f0ca3268

                    SHA512

                    9e6feedb5f40ae2e2abc025c70cd8598cca0927442eaa925236970912254366fcae310bfed097ec2893e48ca1254b28c5e0c65aa51ab415dbbc4a015ad1008d1

                  • \Program Files\Common Files\System\symsrv.dll

                    Filesize

                    67KB

                    MD5

                    7574cf2c64f35161ab1292e2f532aabf

                    SHA1

                    14ba3fa927a06224dfe587014299e834def4644f

                    SHA256

                    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

                    SHA512

                    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

                  • \Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

                    Filesize

                    261KB

                    MD5

                    c7e5520ed203ab5a47cc230aa82a7f8f

                    SHA1

                    4356eba3d63cfa115c4f1f7fbc19a837f4c92ecf

                    SHA256

                    23a4da975f497b8f541d56f301f3246cbc5fb680a0fb8a7bc0b34b5276512dbf

                    SHA512

                    25177a40d796f8dad6426f225da4899bbf2a6f40e5ec6740fe24be99f1e3fa9bab5030153d1b39935e2d51e0de724b6bd5d4a72fcb198de19c37df441efbab0f

                  • \Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

                    Filesize

                    1.3MB

                    MD5

                    6f87aba66431f8b0b6a0afa1532983ff

                    SHA1

                    296dc56397d800088da66de9a5653358d4bb27f7

                    SHA256

                    82ed47127c67be3836eccc1cc6ce9de16fd2e60e745b1746dd86413ae150e41f

                    SHA512

                    0d0f1df7a43872763d81f2bc915716d37d387b4b2a3ebc44a7edf0000398de243ef09d925e00b07a7d57604ba16d34889357243f04c4fc861302a0e1c0e0801b

                  • \Users\Admin\AppData\Local\Temp\A1D26E2\E0BE8348C8.tmp

                    Filesize

                    5.7MB

                    MD5

                    907f6d2ccb9de1f311b4f0ae58f1abf5

                    SHA1

                    15a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9

                    SHA256

                    fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e

                    SHA512

                    768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83

                  • memory/2248-252-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-212-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-3-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-13-0x0000000000A60000-0x000000000102A000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/2248-28-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-251-0x0000000000A60000-0x000000000102A000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/2248-14-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-263-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-15-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-27-0x0000000000A60000-0x000000000102A000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/2248-284-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-297-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/2248-330-0x0000000000A60000-0x000000000102A000-memory.dmp

                    Filesize

                    5.8MB