floxif | 8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
Size

2.1MB
MD5

8c9ff8e9a5f3c868d921f816043aa853
SHA1

dc41ece8823b27f5532229a144a0cc20c2992d07
SHA256

8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205
SHA512

0decf0b3246484996f73fe3613a7b02eeb2a5fd7a7e9d7ee9cee88feef6d0ae29e44e56b3bdac7343de51ea8b519aa65af04c2abd8716f1d74c38965731b0384
SSDEEP

49152:vOIzHTmaRFGjLqI05xooWsxlZw7xLJ15hPDyZNBim/8HTFv:vOIzzmaRFGjLavW0wNLH5t2bA1HTB

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
2644	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
2644	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
2644	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2844-0-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-2.dat	upx
behavioral1/memory/2844-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-128-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-152-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2644-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2844-154-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2844-162-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2844-161-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
Token: SeDebugPrivilege	2644	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2644	2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe	28
PID 2844 wrote to memory of 2644	2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe	28
PID 2844 wrote to memory of 2644	2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe	28
PID 2844 wrote to memory of 2644	2844	8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe	28

C:\Users\Admin\AppData\Local\Temp\8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
"C:\Users\Admin\AppData\Local\Temp\8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe
  "C:\Users\Admin\AppData\Local\Temp\8f988ddeac35912837aea2cb71c49e8756ecc1449eb1fe5e4d1233b52eebb205.exe" -sfxwaitall:0 "EasyBCDPortable.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCDPortable.exe

Filesize
205KB

MD5
0e8d64ec3c76fee99b3a1428cde987db

SHA1
992f6e92db5b494fdc87a321eade7f0f3ef6323f

SHA256
bc7c905bab5d03ea91644ab9eb744fce3e0e060db80a46a71c18addad53aee17

SHA512
195e65709850d813a29224e7e71b533aca4ad5fc1769688b0ec525b704811d8d1fdb3f8b2ff19ac22f37421c06cd5c908759a31c963aa5341382cd17da8b4cd4

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\EasyBCD.exe

Filesize
965KB

MD5
e478c92160a3c73c77cdc9f515dfd8b0

SHA1
f0fa230f8c26bcbddc3b68f38ce0793d46c0ca2b

SHA256
6a6e16c176004128b918ef3f9ecf1d51d828e6099fba6542b5ac6abdb67c1030

SHA512
3682b4f5bc31cd056c3f552da657309093e35b4757c073a223385c04765f622ce9ee000fb5dbc950c68ad7913ffdcc831ef65bd5ed7241f6179ea375b17be822

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\NeoSmart.Localization.dll

Filesize
25KB

MD5
ad0a59ae87d4ba106e965c62f0bc3d88

SHA1
5b39b6fd95b5bee72a17d79a1f4958256a5c4149

SHA256
3a56005b2efb34620019ef432fe90eeb63726fc78b37be841f25c2aed82eb1db

SHA512
562b2cbd3fdbbb71dee9fdb68bd24b9bbf27beab93de338a616baec837910f31ad3b13d75564d45a1cca26e1150517b47d0b3984bae7d08675593bde22bbea98

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\Newtonsoft.Json.dll

Filesize
472KB

MD5
0953851089821550ef013b487da3915a

SHA1
7b4dfb7d547404fb6f3cc561d9475209aa2c6172

SHA256
4a56ef352f84ad19c1b4486c7c9e64fef9a67c464c62e51bababa79cd2d89551

SHA512
4a41a97527604042e1d28e2869aac1dea79da372ffc7e211415e45e4212a853971731cf4fc9595d81c4f4b824f8e7441c2ad6f2641d053cd783b264c83c29e86

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\BootGrabber.exe

Filesize
183KB

MD5
2e12b37d32c8bcf8920f5ebb6d24a6b9

SHA1
7fcd9e4ebfa2c400d6340133440c087e56a3c9e6

SHA256
f9842333f0b562b4ab5349a09fc173b0b2971c1f600502c4284781c78a735d7e

SHA512
aa82f1ed984174a1b5a610eb28a422da6172dd027678d9d4b7a9714e85e050616403ad294a005ad1ab39032758a4d2fd8d498b1241dedda8c91698ffc7d3c527

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\NST Downloader.exe

Filesize
18KB

MD5
a5b3ea9ee11e9752417159ba1c618b95

SHA1
7f336b35f3a2a9d0a1c9f47227b27545aa7ead34

SHA256
b92b2fa8916c78ccffef058d3be900c840cb996028d373ba55985fd1d1dddac8

SHA512
cebbec335baae8551c901106d325c2853891a27585ed47f1bbae2f73cb62f1af93f1534ade8f85e6f345141d2475e08ad75a5e1adb06f46ba78dd6f56f5a0953

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\NetTest.exe

Filesize
11KB

MD5
3f3be08145d962f3146f9632ca1ec910

SHA1
50903bdb01df135ac4492a2f004a22da757e1170

SHA256
c35b26223b07d81e9ab638b52e5344d33e10df874457a7b1cfbda6f591a07c7f

SHA512
5bdea94a15a2514f33728f956cd89fdc6d9cd7cf9d0cb25ca85092494323cc1b21b7610792c3a0090c9835541a55eb1103e13caba8d2fd30c6bd1b8566696ef1

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\UtfRedirect.exe

Filesize
189KB

MD5
5b40791899fa37507e7c08bc3d9f5294

SHA1
cb98852ec22251b5124507427d05b3dfe7ec53a7

SHA256
5a87d9485f6e13ee2c3ba4ac289a3e237d17a43ed428b8a5bd5f00fc4800d1ac

SHA512
d2c0de00943d7e9961571a8e798688e46a8e7267086e15abaae8abca0fa7aedd02d5df3c5eb3dc6cfab0c5982694129bf5b9c0cb5d8e978fec0d76d54e441390

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bcdboot.exe

Filesize
142KB

MD5
9f9e397630a146e875735f2f42339e6b

SHA1
2456a3bf83b095a31dd338decad7672a5472fceb

SHA256
9898f537b8d3097a05b42f42523cd66fca7c020e8083edbe461e6d9a12dd168e

SHA512
1e149f89800670c9564efa9406a09b513439209760da0d425fb17a68446d993048aefa5962b209c9ae438be8452ad88e767810fdacd755dd0ce826e973193767

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bcdedit.exe

Filesize
317KB

MD5
a60cbaea0f8ac802d21c0cc7bc2589be

SHA1
f4c1f4b7f340968ba9c360f3fc1ef783a8bc7b2a

SHA256
8bf1b71182fed18d6b4112bdc4d496800b5bf6681de4c4f6536ba67378f38a12

SHA512
24ab704e214758b9318a333bb3a466a05e4218fbef70752b266d782e5fe89de19db8e5d5a584245fcc6aaf32ea99a0764583b3cc56299e99a2b7cf6ec42c2ccb

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bootsect.exe

Filesize
107KB

MD5
da39bba4267ec54de12374bfd88d0df4

SHA1
05b134624cde95176f76378e8c22c4b7ef7b8a7e

SHA256
f15e3c9a8f73c6dc4ea8f0a174915b6edca06c75332eec8a28e7a4b347276d4d

SHA512
c605422c8a09d20a11be7c8e3066995f308e58070f7c6b8a8e705c13360f1ec13b6eaecff3525bff7d2cd97e4b5eacb220e26b496baf8aeb57ba56bc728d90a3

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag-kernel.dll

Filesize
46KB

MD5
f72f526b334a578b8fbdc6a20b9e2e4e

SHA1
e89977dbd6e3b21016764ea39e0bfd6c93a02f70

SHA256
0233af69b35decefdc7bb9ab7c8732434ebd4880c3b18085e6116f28431e3d4b

SHA512
ec25fa006943b411b20a2c9ca6824412a47615a62446d0aacf37fdbac48cf785f93008cae69697453efc94785ccdeef06c7292da625a88146369113d95bb3a0e

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag.dll

Filesize
8KB

MD5
cea23b2e0c8eb462edfa442b1ccf4cb7

SHA1
fcf8357e16d18c723e21da92d8a798c4725ebe6d

SHA256
f62d78f847f8fb37992d4024ece99d6c82dd3c83fca04527d2a06f6af3fb4bff

SHA512
8d83a47ba988cf582f3abe0d4f53b9db9ba4e9da752767deecad9b1821a848b15f94395ec378014cab47156ea6457a3d6510ff4c6994f409b608cf2b0888bd76

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag.exe

Filesize
24KB

MD5
b28589bde044417287d73eac95142958

SHA1
dfd7e1f7d22c4fb7df40a6dcf05fd2fbe0273900

SHA256
0863be7c3a6d3ff526e2c333f605e6fc4ed96bf71dd8fd8f8b81489f721ffc52

SHA512
d283a4852926160d8ae360089f378b977c150f162edaf6bbe60a06007c814e52436174de7d96a01cce66403a5c9a91db063fb825593b2858b4cf1dfb962f79a9

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\zenwinx.dll

Filesize
46KB

MD5
bf9f6c9d161e6dc291632f67bb416e2c

SHA1
9578cf0f91565a70b5893c5ef1400d694b7b6afa

SHA256
66c50953b5c89078e326bbe2eb19307e8d696ffaa8cad1c6123d7a750128d18f

SHA512
09799dfd71ea229c4e82f31acef582529160289f49838ebdcef6a5f6b3a6e536411c87f9c007535c83a27f68715a9abd9628a2a8291cd8693e3edcc67093e451

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\App\EasyBCD\bin\udefrag-kernel.dll.tmp

Filesize
122KB

MD5
3656ab40b7c1d498047c1e76a7ae7442

SHA1
b4fc2b98144c2ab8a5298df97c0dc1010e148a75

SHA256
9c6be1e33652d36994262cf2c8742e852b88f6c4a9be0de5d0894dcf83010c47

SHA512
f63745263e61264625d45ebc328781ecf8cffcf104f538cae0cfdef61d555164c0b855e871f0ff2d10f0f10a36226eb538c6833fbff2a4689f5e0d4925606bc0

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCDPortable.exe.tmp

Filesize
281KB

MD5
f50f4113cf1df9fa23920b923babb5aa

SHA1
9bdf7d1c2d7feeaecceae70857c971c9d0985e41

SHA256
3f9696245e4127edafada118d5c07a4f83eb9e9d4363ea7e313559c29af3c0ab

SHA512
7a2f199dc9fb63a106645c656e549120ee708e5deeff0972d01c03c1fcfc1bf35168bf78af95b9bb432328b03fee0ee617207d2c589823ce325f587ba2331f58

Download Submit
memory/2644-153-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-152-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2644-128-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2844-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2844-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2844-125-0x0000000001ED0000-0x0000000001F19000-memory.dmp

Filesize
292KB

Download
memory/2844-154-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2844-162-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2844-161-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download