Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:01

General

  • Target

    14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe

  • Size

    5.8MB

  • MD5

    c5ef60a303d415772ed3c3445b45d690

  • SHA1

    092298141ece7234ebded0500dadbbf5c05fb24e

  • SHA256

    14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8

  • SHA512

    f1c07b789e7d190b03bceb367937b2530910d98f83cdc9bf3b5f7c80a13509dea0e6b71136deeb5cd4a559826456bec7304cc6ce9b88b687a88399cdbc3a1052

  • SSDEEP

    98304:SvcBPAQeGPUP471te18frP3wbzWFimaI7dlot1:SSoQ9/1dgbzWFimaI7dlo1

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • A potential corporate email address has been identified in the URL: [email protected]
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe
    "C:\Users\Admin\AppData\Local\Temp\14f560d5dcb91cce23eadbc6ce4c65277f7fc2961269e52bdfc8766bb0e441b8N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2444
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.1886949311\722804594" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0955bc0-b70a-4626-a56b-05db370e8b6f} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1300 121d6158 gpu
          4⤵
            PID:2916
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.2058646445\699989543" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a7e8ac-beb4-4dfc-baf2-52a6db391946} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1516 e72e58 socket
            4⤵
              PID:2784
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.170052725\1703757487" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc9b049-5a7a-4199-a263-6110b1bddfb9} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2104 12159558 tab
              4⤵
                PID:1036
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.1928870289\1744065618" -childID 2 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3cc16e-4332-46b2-80a4-65e8bd90c119} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2788 1cb4ee58 tab
                4⤵
                  PID:1368
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.750359270\850579117" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3680 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2512c7cb-2ecf-4dd1-8330-0a6ebccd82d7} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3716 1f0fd058 tab
                  4⤵
                    PID:2988
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.994975831\1326074479" -childID 4 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2accc08-8f31-465c-8f38-edd5736d4424} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3812 1f0fe858 tab
                    4⤵
                      PID:2880
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.909663669\291752357" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {077942f6-f6bd-4eda-8bcc-ebc4d2cff3a2} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3980 1f0feb58 tab
                      4⤵
                        PID:2592
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.7.336479887\1400921686" -childID 6 -isForBrowser -prefsHandle 2176 -prefMapHandle 2112 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {094c837f-b56d-42ca-8729-356e26f2a5fe} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2180 1a39ce58 tab
                        4⤵
                          PID:1968
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:3008
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2852
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:392
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:544

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Common Files\System\symsrv.dll.000

                    Filesize

                    175B

                    MD5

                    1130c911bf5db4b8f7cf9b6f4b457623

                    SHA1

                    48e734c4bc1a8b5399bff4954e54b268bde9d54c

                    SHA256

                    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

                    SHA512

                    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    23KB

                    MD5

                    b96540c4177b255ff0e549e35895dbd1

                    SHA1

                    6f6f36c8453ed46b84c8103380cad3677c24a84d

                    SHA256

                    9fd3b6e2e3f5d8acc2f2fd4e2acac36686d5c6d8c498773178b668265be9cc3a

                    SHA512

                    f7ba3b8e5afbbd7abf89adcc8de1126c28870a3944669c9dc44b958dbe31520f152cdf1dd3e7d1ab2383fdc31eceb285219d92159b3435d6a6a97d60d68cf29b

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                    Filesize

                    13KB

                    MD5

                    f99b4984bd93547ff4ab09d35b9ed6d5

                    SHA1

                    73bf4d313cb094bb6ead04460da9547106794007

                    SHA256

                    402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                    SHA512

                    cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    f91ec4f02ce872d21c7616c4a7f0f496

                    SHA1

                    fa7aa80beefad1460193d2e56931ebf9df734f3b

                    SHA256

                    ea1f143cef6e48c164c85dd6b6078ef99ba32a2a471dbb4434a0b0ad2ecd234f

                    SHA512

                    c74af200ff2f786ebe72d3c9e2ff1a2a1433b72f555ee85de3e54235d7261eea0fe2d2f4c8aed3abdb5664a86db826d073cdaaad54202cebe14bbed06d1ccb2c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\8fb2f70e-7dc6-42bb-b922-1a0f97d97d0c

                    Filesize

                    11KB

                    MD5

                    16949c1dcebb3720029ca4efabdd72ac

                    SHA1

                    07c0128a36667c06c08155a1acd62c81e495a180

                    SHA256

                    f2223ec23ca04409b40e81969e5f5f53ed621367f4b186e2d0b23e8b49789eb6

                    SHA512

                    975733a324c5a4bb5cbbc28a4bc3ed14ef195e324e817e862407762a1a48568bd2ebd93de3638dce3171cc194558f58dc0dc66f674e984dea6eb699556dd5d5d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\b42c274c-c728-44c7-b97a-056e580e43c8

                    Filesize

                    745B

                    MD5

                    764560faeefb4fbba19054b62a3b19f9

                    SHA1

                    efc63b0f039e0a1244a779fc7cc7f20feb96fb06

                    SHA256

                    24bbfd4cace6d5a2b6c54ad03d2f27028cf8adc8280ca79fed3eafcc7e969117

                    SHA512

                    9d60327b120ca4547d780e08b05b9ead63d5c16718d9542d65052bfd04528153268469451927182e6e48f5f6378834290cbdce09655dd5c4998647b5bd108bd7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    a3c86372ec76ce021c7b4efc9afce3cc

                    SHA1

                    3f1a1d2745d34c371616c940df68c4e4213b6af6

                    SHA256

                    c03ec9101baf51599eeffd10ce20de1f100ac491065dcb38012ff60868c199f8

                    SHA512

                    d0e7d99f219d851eaf2f2103a7f8e210ca1a3d2d0a9d64b64267f58c782a407c35a08afbb5d1ec9a4fd8580af4e1b27a8c8ff60a9982b45c97691ae8493bc737

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    9149d648f46ffb5673a439c36ae82884

                    SHA1

                    bdb12548c4ededc89809ba7669471c1cff3ad659

                    SHA256

                    6343d7ff620392d1eddf5a29d8635452f631d43761c35225429afecf6d3fa8d5

                    SHA512

                    68de5b1bdf549b20cb1152a2d73dedbf93945afb1e2ab2032dfa3d51fb6a432595435eaf79da7cfa0f0c803fdb2a193d83aaaf4ebc730edff8aaed8a37a316f0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    fbd7b566763c0acd46e4218693535a15

                    SHA1

                    f02237784fc861bf2eec51bb9175cd7496ddd032

                    SHA256

                    6b19105ec978cf009cd8b7a8e1d7cc78d2079cff9b117f0f4db5e148ba19d964

                    SHA512

                    37a3e006bbcd57b4b07457d482b2f408ba11db9a0218d3ae5ed3e25c57e49a3614b9e5db28f1497699344e093be9819f9107d286987af40002fe9f9ea3262958

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    f269be4d5fc45532eaafa09000279316

                    SHA1

                    678983eb470f0ba87b5964384b8eb1dc828ac032

                    SHA256

                    105c4aa3daee223c20f50d9df447ac7bb1e5ab173de25c81994ca687eaa159de

                    SHA512

                    9193d6843d4f700d540597fe3bb4c34d790f4c4339ca68e6c9fc35c6d880e561e7191710e5ee3303f4ffa2d8d70caf246b87614aa4925c060e6e708e49869560

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    34b563f2355cdd874e2f7d0c8c816861

                    SHA1

                    5a63becfeef1ce30e62a820a0840fc55aa63dd20

                    SHA256

                    eed6ecf7cfb7f78fdbed942d66e1607772df4c6947227a72aa33c2cfa5dc0598

                    SHA512

                    9c838092255c9b6979b444457e32c8428b0d3385ecde793d5e95dbda609ab615aa4709784bd3e003b58a0b1ca9ae02bdfd3f40d62ff1e5ec227a799d5db28c7c

                  • \Program Files\Common Files\System\symsrv.dll

                    Filesize

                    67KB

                    MD5

                    7574cf2c64f35161ab1292e2f532aabf

                    SHA1

                    14ba3fa927a06224dfe587014299e834def4644f

                    SHA256

                    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

                    SHA512

                    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

                  • \Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp

                    Filesize

                    261KB

                    MD5

                    0afc63e7ac95a56fac3e27e877d4cc7f

                    SHA1

                    aca6640a5c2a8f542501007bdb72563d28edf754

                    SHA256

                    5912d65f1783ac35b02c9402869c65613ced65853858ecca1fa2cb16a1e4b8b3

                    SHA512

                    419d53d8f73f7b289f71e20c751c2a8f2b2fa755b2397035612e19f1447430aa07353879a9c647ac506981c09e4abaa059047d0c70b7ba70a037e271f99af430

                  • \Program Files\Mozilla Firefox\uninstall\helper.exe.tmp

                    Filesize

                    1.3MB

                    MD5

                    ec23117f2f80b01e57f7c1252e86f423

                    SHA1

                    31165e48f520b7ea199d60c8607a85e766f5c3fc

                    SHA256

                    059e67ef1c2fa5a58a8af682766ceb727812e9fc8e2a24b6734567d2f7e41ebe

                    SHA512

                    ae5d114bce090d743925b39784b35f420858879fc850e041d7a8bf65c1fd5cbad24f51be20670ea97ca590dcbb843ecc63078fee57ff50db67a6b6222dc21aea

                  • \Users\Admin\AppData\Local\Temp\A1D26E2\1E88ABC5A4.tmp

                    Filesize

                    5.7MB

                    MD5

                    907f6d2ccb9de1f311b4f0ae58f1abf5

                    SHA1

                    15a255db8fe3ce554bbdd5c9f48a05dc6c6c33a9

                    SHA256

                    fb69f1e12ba410a1c399441c4a41a80fa2df3658fe64283c5a90afc51f9f600e

                    SHA512

                    768302a651af8b71add90ac24ec4b6b25f07b9835b30c08c81c548c88f304aa2795d47012328900dc102347d1c7d87f6128c8ab339674dbaf043e4cf8cb09c83

                  • memory/1444-210-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-15-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-31-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-3-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-232-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-231-0x0000000000930000-0x0000000000EFA000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/1444-238-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-30-0x0000000000930000-0x0000000000EFA000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/1444-13-0x0000000000930000-0x0000000000EFA000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/1444-257-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                  • memory/1444-294-0x0000000000930000-0x0000000000EFA000-memory.dmp

                    Filesize

                    5.8MB