floxif | 4f5a548b063a2c81aa6a1c250ecc7eb2dd38412d514769b5eb3b4e8d3adbaa8a

General

Target

HlHoAxqIJLIFkvH.exe
Size

268KB
MD5

228af1b9418b8dde1deedf2bece8e331
SHA1

cbdcabe8305019287710e7ba6888cf0fd865a6c6
SHA256

4f5a548b063a2c81aa6a1c250ecc7eb2dd38412d514769b5eb3b4e8d3adbaa8a
SHA512

4c9ea31909603cdd587cf7beea46b4bb07cd1cc5c9983baddd4b5020f4bf8e0291888248fe0a973cf7d59362d1a3fb02dd5418b9ae1a52c22db2f30fefb9fa6a
SSDEEP

6144:w14BEZBGl36gvGltZEvDQ9u7JaSBV+UdvrEFp7hK52:w6EjGQg+ltZEvDQwJnBjvrEH7w2

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000b000000023b67-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000023b67-1.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HlHoAxqIJLIFkvH.exe

Loads dropped DLL 1 IoCs

pid	Process
4208	HlHoAxqIJLIFkvH.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	HlHoAxqIJLIFkvH.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b67-1.dat	upx
behavioral2/memory/4208-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4208-25-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	HlHoAxqIJLIFkvH.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	HlHoAxqIJLIFkvH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HlHoAxqIJLIFkvH.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	HlHoAxqIJLIFkvH.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3604	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4208	HlHoAxqIJLIFkvH.exe
4208	HlHoAxqIJLIFkvH.exe
4208	HlHoAxqIJLIFkvH.exe
4208	HlHoAxqIJLIFkvH.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	HlHoAxqIJLIFkvH.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3604	4208	HlHoAxqIJLIFkvH.exe	89
PID 4208 wrote to memory of 3604	4208	HlHoAxqIJLIFkvH.exe	89
PID 4208 wrote to memory of 3604	4208	HlHoAxqIJLIFkvH.exe	89

C:\Users\Admin\AppData\Local\Temp\HlHoAxqIJLIFkvH.exe
"C:\Users\Admin\AppData\Local\Temp\HlHoAxqIJLIFkvH.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HWID.txt

Filesize
271B

MD5
4f85c4aae7fee86fc1688b8704e43edf

SHA1
721f3f6a16005ad7a4e94c28cf98560f3c516832

SHA256
eb1c05b3581df581ca5913bcb2918d5a31bb4170152a3cafda1d2b3f15798465

SHA512
8d2b59e6e681bfc6c6491af01d5ccb0d9acdf5a48945da725639a8e4f840ecc9200a706893a2a9b3b940e0c731a7e058f146d13feea046a307b4e40852dad63e

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/4208-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4208-6-0x0000000000F81000-0x0000000000F82000-memory.dmp

Filesize
4KB

Download
memory/4208-23-0x0000000000F80000-0x00000000010AA000-memory.dmp

Filesize
1.2MB

Download
memory/4208-25-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads