Overview

overview

10

Static

static

3

52948a92ee...5N.exe

windows7-x64

10

52948a92ee...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925N.exe

  • Size

    1.2MB

  • MD5

    9f2b804477147f9ab6782b153bac4070

  • SHA1

    e8ee1cac13fbb764f2bed7be7db669e90dafc18f

  • SHA256

    52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925

  • SHA512

    309d2f0b4cdcbac745ba60f8f575d2ce6bb11c9d3f0f96610095c21031c934e7f10d9ac4b211bc19b5744646f1ef46f479e6d6c12ea31b73fb944b4e3efcff86

  • SSDEEP

    24576:hMbrn/kG9Pwrn/POzMQGEvGH3RDDtAi1PDxwQo79mRUwbSlcfSgQ+n81lMRGJ/qU:hmrn/x9Pwrn/POzMQGEvGHtDtN1dwQX4

Score
10/10
floxifbackdoorbootkitdiscoverypersistencetrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Detects Floxif payload 1 IoCs
    backdoor
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops desktop.ini file(s) 35 IoCs
  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops autorun.inf file 1 TTPs 35 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925N.exe
    "C:\Users\Admin\AppData\Local\Temp\52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Writes to the Master Boot Record (MBR)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\SysWOW64\arp.exe
      arp -a
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\CQ.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im qq.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.0.1 0b-ad-39-44-92-ad
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2744
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.255.255 d3-25-4f-cf-93-b6
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2468
    • C:\Windows\SysWOW64\arp.exe
      arp -s 154.61.71.51 33-40-3d-7f-2a-ac
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3040
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.22 0b-39-fc-36-34-54
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.251 0e-9d-19-6a-8b-66
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2912
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.252 7e-90-ca-9c-0b-b3
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2140
    • C:\Windows\SysWOW64\arp.exe
      arp -s 239.255.255.250 05-af-ce-93-55-63
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3020
    • C:\Windows\SysWOW64\arp.exe
      arp -s 255.255.255.255 e7-d2-a8-c1-28-06
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files\Windows Media Player\0" /d everyone /e
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1712
    • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
      "C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡" pid 804"C:\Users\Admin\AppData\Local\Temp\52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925N.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 564
      2⤵
      • Program crash
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
    Filesize

    1.2MB

    MD5

    9f2b804477147f9ab6782b153bac4070

    SHA1

    e8ee1cac13fbb764f2bed7be7db669e90dafc18f

    SHA256

    52948a92ee6e1930a05bd676f7dd1febaf9790ceeed0c9a9ebfcbfab16ef0925

    SHA512

    309d2f0b4cdcbac745ba60f8f575d2ce6bb11c9d3f0f96610095c21031c934e7f10d9ac4b211bc19b5744646f1ef46f479e6d6c12ea31b73fb944b4e3efcff86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CQ.bat
    Filesize

    30B

    MD5

    458d6a0f8398f6fa8bda7bb2ba5be353

    SHA1

    eec02a1cf5047cee3d4dee32ef13498c49a61154

    SHA256

    66142298d915314ddb48b417e96b48936e71a190d8f7cd8ae5a053cbe2746ddc

    SHA512

    c4fad6cafa4b17da18f5beceb65f91414c9fa0774c99caeadc87bc44f5faee6425208c78f6f111bec71b2e0cf58922c4bb62a0e3247b2af7699113a76c11c730

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    72B

    MD5

    593ce3f439bb49aa3ef95af11b146c18

    SHA1

    1475674af547f66b3de40d5afde11fcb558a53eb

    SHA256

    886e68d9e6edb3b9ed472e9990fb9b0822c3be5e4cf6066af986edfac465546b

    SHA512

    76378b3017f75e0dbbf03a8bedf12b5b80c2d5da7a108ab7024acbbb7deac44ed16e054b53e86f9c8aef210f3a9cb3d1d39e43a698281b92149501c39d863349

    Download Submit

  • \Program Files\Common Files\System\symsrv.dll
    Filesize

    71KB

    MD5

    4fcd7574537cebec8e75b4e646996643

    SHA1

    efa59bb9050fb656b90d5d40c942fb2a304f2a8b

    SHA256

    8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

    SHA512

    7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
    Filesize

    28KB

    MD5

    992322b55f2684fe4c83b8e94dd54adb

    SHA1

    0990c5d0da44f3dfa45208c8d7d6ca27614dc165

    SHA256

    d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

    SHA512

    471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
    Filesize

    1.0MB

    MD5

    4b30dbe1a79b2b7572ff637cb3765ced

    SHA1

    b08eba0e9bdb62d426db8d2b3d451152a56f79a1

    SHA256

    4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

    SHA512

    40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

    Download Submit

  • memory/804-53-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/804-54-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/804-7-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-4-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/804-13-0x0000000002A40000-0x0000000002B5A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/804-1-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/804-46-0x00000000028C0000-0x0000000002921000-memory.dmp

    Filesize

    388KB

    Download

  • memory/804-45-0x00000000028C0000-0x0000000002921000-memory.dmp

    Filesize

    388KB

    Download

  • memory/804-52-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1868-47-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1868-48-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1868-55-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1868-57-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1868-59-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1868-60-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download