floxif | 4f5a548b063a2c81aa6a1c250ecc7eb2dd38412d514769b5eb3b4e8d3adbaa8a

General

Target

HlHoAxqIJLIFkvH.exe
Size

268KB
MD5

228af1b9418b8dde1deedf2bece8e331
SHA1

cbdcabe8305019287710e7ba6888cf0fd865a6c6
SHA256

4f5a548b063a2c81aa6a1c250ecc7eb2dd38412d514769b5eb3b4e8d3adbaa8a
SHA512

4c9ea31909603cdd587cf7beea46b4bb07cd1cc5c9983baddd4b5020f4bf8e0291888248fe0a973cf7d59362d1a3fb02dd5418b9ae1a52c22db2f30fefb9fa6a
SSDEEP

6144:w14BEZBGl36gvGltZEvDQ9u7JaSBV+UdvrEFp7hK52:w6EjGQg+ltZEvDQwJnBjvrEH7w2

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c000000023bb1-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000023bb1-1.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	HlHoAxqIJLIFkvH.exe

Loads dropped DLL 1 IoCs

pid	Process
4600	HlHoAxqIJLIFkvH.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	HlHoAxqIJLIFkvH.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000023bb1-1.dat	upx
behavioral1/memory/4600-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4600-25-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	HlHoAxqIJLIFkvH.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	HlHoAxqIJLIFkvH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HlHoAxqIJLIFkvH.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	HlHoAxqIJLIFkvH.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
856	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4600	HlHoAxqIJLIFkvH.exe
4600	HlHoAxqIJLIFkvH.exe
4600	HlHoAxqIJLIFkvH.exe
4600	HlHoAxqIJLIFkvH.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	HlHoAxqIJLIFkvH.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 856	4600	HlHoAxqIJLIFkvH.exe	89
PID 4600 wrote to memory of 856	4600	HlHoAxqIJLIFkvH.exe	89
PID 4600 wrote to memory of 856	4600	HlHoAxqIJLIFkvH.exe	89

C:\Users\Admin\AppData\Local\Temp\HlHoAxqIJLIFkvH.exe
"C:\Users\Admin\AppData\Local\Temp\HlHoAxqIJLIFkvH.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWID.txt

Filesize
271B

MD5
d3f223350a3b7b4c186b02d5f0d36ea7

SHA1
103dc333ad50f39b96048d9c5d51cf13188655f6

SHA256
d3275e2d452b4b8f1ad793e023b9e0e22139fc39edb8f41cb4d32d348f372866

SHA512
22e24916a212682d6ee8199685062583dd0857203adf1bedd5bc2b21b86ea0c49759f66a39c4721434fd00f66c05f0208352efdbda0f9013b6c9e2af3ad557b1

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/4600-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4600-6-0x00000000009B1000-0x00000000009B2000-memory.dmp

Filesize
4KB

Download
memory/4600-23-0x00000000009B0000-0x0000000000ADA000-memory.dmp

Filesize
1.2MB

Download
memory/4600-25-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads