Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18/11/2024, 21:22
General
-
Target
6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe
-
Size
3.7MB
-
MD5
1e9fcd18eeb3a26fc6bf433dbce6bb5b
-
SHA1
005aa36da58e05ce2613172f610dc26a810188c4
-
SHA256
6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d
-
SHA512
882cd7f69c2ff8a71750096d13e12d12b7099db089a39a126c576ad862df5ff3ea3aeef0e0837c175eff9a190bee699478ddf25a614f20dc4e0a4a859c04d5a8
-
SSDEEP
49152:tJX7zglZTo7c+2M5VWgtwkJyShV5VRz/dtmSp1YTLfNEX:37zglZ+2QXwkJFh/VRDSSp1Uf6
Malware Config
Signatures
-
Floxif family
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Detects Floxif payload 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 18 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe"C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exec:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exec:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:25 /f6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:26 /f6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:27 /f6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5579f6afbbcbdc3fae80e8efd1b716098
SHA1bf715bd74c9e6bc75a66569e8e84097852beb2f6
SHA256db5a46e9ab3348a44d041b8ed879d8fbb6f880379194cae19509ed4f34fa13d5
SHA512d54cea1860c427b7b38459b1f548c7bfc69630ac42283a922292531313e088ec61b05d1ea44ee131347b9a83470bac13c70d3493739e06813bde59984444ee4d
-
Filesize
135KB
MD5789e7f22e4e7dbdf7b67ad37bee77b17
SHA1d86e1afa6905bf2b79c167397de16231ade53e59
SHA2561e8cfc133c85d8f9fcc20b627c08dbc5c09237ce26cfadc7130c0d045ed2b79b
SHA512f38ca1b45d06bd94c4fe662d487c2478aea4346a571976cb9f151b4bade625275a298c919d4a88d789924ad9e34e80b7c14dfcd237405597955da2971e12bb27
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
3.5MB
MD59ec2d02673ed27f1be75b11da5436a24
SHA1d18ee5dc7be3b9938d47e10a8706463664e84697
SHA2568475a9361b1802e26ea8b9dd25ade908733b0fea9d4c9da0d1a0fd3cfc2da69c
SHA512706d941db6bc4597ee47bc711f96f4becd24e53a75217e1a809b0a17103c9e6efd6278cae2ca85f11e24129c0361ff5fff9ccaa92566dfd8a3a4bec212c62c5e
-
Filesize
135KB
MD544efd38196c26f62d64eccad2b4c9443
SHA1c748cfe87773937e6c08cefcfa37ec8d4c55563c
SHA256a75ee036867a4401ecd872e0c099ee579f438ef80a4046496c283293f1ad9fd3
SHA51288f395e7b9402d9d7cb0611c3ff1861d675732e8dfa5917ed7d4d58b43ac01e231babb2b265dd44b268e6e0617900fba0104f7516f19508b3c55a5a55525cfc5
-
Filesize
135KB
MD5d58d34d2d58d99884fc5ec6e2934c835
SHA1fc89eb4a965a551b3bfbebb000f594480ed37f22
SHA2561f659e6f7b3d4d1be97756ce332d4611cd84d338fb53a71bf8c4819df5cefcda
SHA5126b319277305142fa14d06d0886d49c93ad0eddbb382c983ba3732119948c5d2bfd0b6d496191cad26553e11b7e55e30335554232e46c45af31dd023d177e6f75
-
Filesize
135KB
MD5fc9ef458d066dacb6dac516308537d79
SHA116562dc7d53e7fc9607a91399aa93b1b20453349
SHA256afd2e7257503c879a4bcc9c2ac4e9ea4345c7bd5b7274b731c306d997bb38078
SHA5126c1d08e7adb5d4246dcc49d0abb475137aad0adf4e691db3e18bc2d04cc8ecde4b96d9719503974593a6c89bcb67cc522ebe854a433fceb7ac3a4cc46d479e2a
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB