Overview

overview

10

Static

static

3

6ee51bdbb2...2d.exe

windows7-x64

10

6ee51bdbb2...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe

  • Size

    3.7MB

  • MD5

    1e9fcd18eeb3a26fc6bf433dbce6bb5b

  • SHA1

    005aa36da58e05ce2613172f610dc26a810188c4

  • SHA256

    6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d

  • SHA512

    882cd7f69c2ff8a71750096d13e12d12b7099db089a39a126c576ad862df5ff3ea3aeef0e0837c175eff9a190bee699478ddf25a614f20dc4e0a4a859c04d5a8

  • SSDEEP

    49152:tJX7zglZTo7c+2M5VWgtwkJyShV5VRz/dtmSp1YTLfNEX:37zglZ+2QXwkJFh/VRDSSp1Uf6

Score
10/10
floxifbackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Detects Floxif payload 1 IoCs
    backdoor
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe
    "C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3544
    • \??\c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe 
      c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1188
      • \??\c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe 
        c:\users\admin\appdata\local\temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe 
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4692
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1564
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2188
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5032
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1700
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:60
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe.tmp
    Filesize

    3.7MB

    MD5

    8303ff0e500545a043469a269f3e4362

    SHA1

    aceab23e8ab1f6e23de6c436eac7323328effca7

    SHA256

    56288535c3d56f6043a15534802a55a875a0967f752382189e5e88b878d6be90

    SHA512

    61241144116ad2c249f1da8f9005ecc934b3a86c4ae06c7427104ecacda9117636edb3d0c2f255e6c5ce7b72bf36b85c2447ab2398035e2100b8e25c12708d2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6ee51bdbb27a53ac641cd55ee4aef446b3cde8a5376f834d6951fbed21935c2d.exe 
    Filesize

    3.5MB

    MD5

    9ec2d02673ed27f1be75b11da5436a24

    SHA1

    d18ee5dc7be3b9938d47e10a8706463664e84697

    SHA256

    8475a9361b1802e26ea8b9dd25ade908733b0fea9d4c9da0d1a0fd3cfc2da69c

    SHA512

    706d941db6bc4597ee47bc711f96f4becd24e53a75217e1a809b0a17103c9e6efd6278cae2ca85f11e24129c0361ff5fff9ccaa92566dfd8a3a4bec212c62c5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A1D26E2\8676DC44A4.tmp
    Filesize

    3.5MB

    MD5

    579f6afbbcbdc3fae80e8efd1b716098

    SHA1

    bf715bd74c9e6bc75a66569e8e84097852beb2f6

    SHA256

    db5a46e9ab3348a44d041b8ed879d8fbb6f880379194cae19509ed4f34fa13d5

    SHA512

    d54cea1860c427b7b38459b1f548c7bfc69630ac42283a922292531313e088ec61b05d1ea44ee131347b9a83470bac13c70d3493739e06813bde59984444ee4d

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    789e7f22e4e7dbdf7b67ad37bee77b17

    SHA1

    d86e1afa6905bf2b79c167397de16231ade53e59

    SHA256

    1e8cfc133c85d8f9fcc20b627c08dbc5c09237ce26cfadc7130c0d045ed2b79b

    SHA512

    f38ca1b45d06bd94c4fe662d487c2478aea4346a571976cb9f151b4bade625275a298c919d4a88d789924ad9e34e80b7c14dfcd237405597955da2971e12bb27

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    73715534504394cd2b2dc71b2435e38a

    SHA1

    a6b4c0e179a6db3243c0da4e941ed659563312f2

    SHA256

    64268aa8fecfea25cc39566c98a4543fe04e0fd47efb513c406b464275da8970

    SHA512

    e8ef1e664b3a04ba717555f7f2c7e81f8d99f1f9d9a89966917eefa71b219420368b82b5a8b5d37c593dc615e910075aaf9ccc89efaf3b36aa24b39a59e127e6

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    40cdca0c108de6411bc8265b5a7a5a81

    SHA1

    41a4d3683e8a2e961052315baa3971a95ff976f5

    SHA256

    f85794eab109f56b70cbe7167230d3a8da76bb835562fa7a0d8ad96fd5193e78

    SHA512

    6b6843c1e1581416164a667b9cf8c032fdbca14c6de2aebfdcdd6714cb18d1e6e347a538d56bfd6edfda5ca73d3f334a33b7a1e7caa16967b051b8f6b5860063

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    135KB

    MD5

    a9baaaecb8b64a59c64d2914a8856667

    SHA1

    40bf19cac0e3901b9ce7c840d55a60fe6bea90d8

    SHA256

    9995204b3c4294b888a7a4c686ceee33f7a475c3e105f93880931c0476e7035a

    SHA512

    c338d12cfeef8558596c80caf1f2af7164fd0a5c8db959150981f80da446f1a3bc9fa3e29b29fa6d888fbc2df38efdecaff4f42e805aacb37b20f356f9b2c5a1

    Download Submit

  • memory/60-116-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/60-86-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/60-132-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1188-67-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1188-8-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1188-14-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1188-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1564-64-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1564-63-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1564-47-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1700-108-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1700-109-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1700-76-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1956-100-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1956-105-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1956-106-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2188-114-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2188-97-0x0000000003430000-0x000000000344F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2188-96-0x0000000003430000-0x000000000344F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2188-95-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2188-34-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2188-113-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3544-115-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3544-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4692-33-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4692-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4692-45-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4692-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4692-35-0x00000000020D0000-0x0000000002100000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4692-36-0x00000000020D0000-0x0000000002100000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5032-111-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5032-58-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5032-54-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5032-117-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5032-131-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download