floxif | 60edf0e44ad925459189869dd9ad1cc17cb79a6004fe93b31ddb10fcad72ecba

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
Size

6.4MB
MD5

ccf5cd340ba157fc9bfaeb2f9820e6d5
SHA1

85b0977975adf75c8d2623514f0c1e3b52f5e3ab
SHA256

60edf0e44ad925459189869dd9ad1cc17cb79a6004fe93b31ddb10fcad72ecba
SHA512

157a3c7b27a2e92f35e0afa56f22135b98498950b966777c2fb1a430ee6eeb08f5977de30725e99b5668219b6df373716ae60b145020528a40b715ccbd39ca41
SSDEEP

98304:yk1/kuHdM2ZC6bvOJ/AfHFAtruKenSDWBXYVSq+TUr9DxScZc//xqih1hIt2NAzu:hfM+pC9AfiNFMIVSXktwZsi2sNAPq

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000d000000023b6e-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000d000000023b6e-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1608	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Loads dropped DLL 3 IoCs

pid	Process
4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
1608	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
1608	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4740-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000d000000023b6e-1.dat	upx
behavioral2/memory/4740-119-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4128	1608	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe = "11001"	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1608	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
1608	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1608	4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe	84
PID 4740 wrote to memory of 1608	4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe	84
PID 4740 wrote to memory of 1608	4740	2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\Temp\{73FBD0C6-A95A-46AD-8BFA-8C2977DF47EA}\.cr\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe
  "C:\Windows\Temp\{73FBD0C6-A95A-46AD-8BFA-8C2977DF47EA}\.cr\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe" -burn.filehandle.attached=640 -burn.filehandle.self=784
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 2572
    3⤵
    - Program crash
    PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1608 -ip 1608
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\75FB11401284.tmp

Filesize
6.3MB

MD5
4a392a508452821fdf82fd8deef798ac

SHA1
ac5adba130e93bb20b9d7a347088f8c19ca5fc28

SHA256
7d8afc364d746095e43d6157e80dda547f3bf6c803e53101dadee8ab05cfc13a

SHA512
d1eaea614acfe3bb5daa89e1384ab3783716747ced30860b943ef6f5bd97dd9f4bb37b3e7455523de4e84a80d66f69a68ebd8e2fd2467f16bd45a061ec7f4815

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\Avira.OE.Setup.InstallationCore.dll

Filesize
645KB

MD5
0ffaf9e8f6b21c353c40104b1ae444b2

SHA1
51120d15af92e659cb98a58c88cb88a4783dadef

SHA256
a178243464cfda4f514b60566ff7c41a855432c360d04741ea6adcab91a6a1de

SHA512
8fe1959ee3a9943414677e93192b6b931cfb530babdae7df4a105bca65da8711197a347069939bd0b4853b0c6e426d6aa8347263c6d32aa645f2d9aa5db8d874

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\Ui\page.html

Filesize
6KB

MD5
8d12108df79297a8a3709dc913501ef2

SHA1
4f3b907d2a56b95a53e9c2b757cedfd3b083f295

SHA256
d2e1cdd3244338f219978c725be1375956cd06bcf65e1634453f33c4aff18221

SHA512
55a06dddc2cb3c03575634ccde742ef9f631385c5e22932110cf8554a7fb36b8b1ff4fde5c53a8877fc78732c2aeaeb13d63ae55034888e9c64c93086019b04c

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\Ui\scripts\jquery.min.js

Filesize
93KB

MD5
f03e5a3bf534f4a738bc350631fd05bd

SHA1
37b1db88b57438f1072a8ebc7559c909c9d3a682

SHA256
aec3d419d50f05781a96f223e18289aeb52598b5db39be82a7b71dc67d6a7947

SHA512
8eeeaefb86cf5f9d09426814f7b60e1805e644cac3f5ab382c4d393dd0b7ab272c1909a31a57e6d38d5acf207555f097a64a6dd62f60a97093e97bb184126d2a

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\Ui\scripts\main.js

Filesize
2KB

MD5
b6e79cc5559a7d4aa15e607e6c9a4435

SHA1
b029056d4228931c65c36b543b7750d645344eb3

SHA256
56eb30ad85dc6ac21258bf86dc38999b8ec181d6e695653605afee194c89a9e4

SHA512
d829aafb959a6e9d7b702f7ab30d226a9d54ecfb6bebb33193a1edf7fb778bbdda4089a95346f974ed7466abbee130c652effe3e368d1011a994d35bcf07b219

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\WixStdBA.dll

Filesize
273KB

MD5
1dc48d8fc7dea9816fe37b223770a550

SHA1
2a46661bd8c6defa1d5ca3d8eebf0af611318565

SHA256
263f907046073c8bcd50b4d88cbdd497936d55f044140380cfd4142862177656

SHA512
8b602c6c6efd8418b3a609582297185944f9ed16f652ae82e7ef10d7dc344b582d00771e6e4bf51123710fa6b894aba2605a8d9a88ce51c685cd7a7ed0822141

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\logo.png

Filesize
4KB

MD5
199ad0ae37d27171ceb3f99666d037ff

SHA1
24dfd957229bcbce96d853252721d7a015361c8b

SHA256
df9b0c0eb348162383522a326e2bfc9e0ba0d9621478ab6efccf30e6c698f117

SHA512
e6e712d8feeb699be70078f22085fbd9e7300f5550a9088727768da9a46f80bcd1f263032b64b7891cfde657a8148b64d83417024176d547b135f966fe4ad8d4

Download Submit
C:\Windows\Temp\{4E485447-53AD-4343-8D24-A21A1F33507D}\.ba\progress.gif

Filesize
23KB

MD5
0a8845f9504c4308995cafef392c4bd6

SHA1
91016679643297ca68f508832eaff1ea10cd4602

SHA256
3c27dfe3da72200a4417ed13027736f87ea8166190b418162d1e883733fdbfc9

SHA512
71210d3ac26b28e6ff7942da09d88f95cd04e32067665d5a9096eeeca8a635521ed1748037e79b11ec7f16a24bc799d21ab01a3542dddbd0d72e77a88e15ddc4

Download Submit
C:\Windows\Temp\{73FBD0C6-A95A-46AD-8BFA-8C2977DF47EA}\.cr\2024-11-18_ccf5cd340ba157fc9bfaeb2f9820e6d5_bkransomware_floxif.exe

Filesize
1.4MB

MD5
0bcba06d70704adc78813afdcfc69f9e

SHA1
67c5e20fa0953f5db211c238484931255f59006a

SHA256
03f3beb0405effee7ea2277287dae8f353730f41bf92b6612fd294fc950c44c9

SHA512
f2fda360df7938573c6c4fa779e01a114a97d0938642657fa29192cbf659dcad4447e61729fe5652ad7911255cafdef230ca1beae24d1153666bedfa7f5bece3

Download Submit
memory/4740-5-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4740-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4740-6-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4740-117-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4740-119-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download