Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 20:36

General

  • Target

    27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4.exe

  • Size

    2.5MB

  • MD5

    d8af704b6de9cd7b2bd4d84cb29e8caa

  • SHA1

    d400409c90f82f6593ab50c924c6ad9a1a0d5b68

  • SHA256

    27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4

  • SHA512

    56efaa823980496547b6cb33903a746c57aa3628c626b321ecf61a97a1e3351843009b685aebb09317449f941799a823b5f6af6d959da0287760e5d4cdd7780d

  • SSDEEP

    49152:NQi1Dm59Z9mam7Lv+7edYBwY/h6yGLhjPSHU:SoDm4am7L+7AYuY3ih+HU

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 22 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4.exe
    "C:\Users\Admin\AppData\Local\Temp\27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\Users\Admin\AppData\Local\Temp\27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Inf\svchost.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\Inf\svchost.exe
        C:\Windows\Inf\svchost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2960
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    PID:1672

Network

  • flag-us
    DNS
    5isohu.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    www.aieov.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    198.58.118.167
    www.aieov.com
    IN A
    96.126.123.244
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    45.33.30.197
    www.aieov.com
    IN A
    72.14.185.43
    www.aieov.com
    IN A
    45.33.20.235
    www.aieov.com
    IN A
    45.33.23.183
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:36:45 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:37:03 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:37:16 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:37:26 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:37:35 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    svchost.exe
    Remote address:
    173.255.194.134:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Sun, 15 Dec 2024 20:37:44 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    342 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    390 B
    525 B
    7
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    342 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    382 B
    543 B
    7
    5

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    290 B
    529 B
    5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 173.255.194.134:80
    http://www.aieov.com/logo.gif
    http
    svchost.exe
    290 B
    529 B
    5
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 8.8.8.8:53
    5isohu.com
    dns
    svchost.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    www.aieov.com
    dns
    svchost.exe
    59 B
    251 B
    1
    1

    DNS Request

    www.aieov.com

    DNS Response

    173.255.194.134
    45.33.18.44
    45.79.19.196
    72.14.178.174
    45.56.79.23
    198.58.118.167
    96.126.123.244
    45.33.2.79
    45.33.30.197
    72.14.185.43
    45.33.20.235
    45.33.23.183

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll.000

    Filesize

    175B

    MD5

    1130c911bf5db4b8f7cf9b6f4b457623

    SHA1

    48e734c4bc1a8b5399bff4954e54b268bde9d54c

    SHA256

    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

    SHA512

    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

  • C:\boot.ima

    Filesize

    1.4MB

    MD5

    11ba9fcc7cfff6e4940abf70fb707eae

    SHA1

    0b2ba1b36eec932a4f0f9433bd5202c1e9a09398

    SHA256

    63d1deaf70ebaacec01aba35896a676e3b5bcc5d56233022b96a174b2f04a652

    SHA512

    dec58982880032fa36c63691a4d00b38c37dfce916c8c06a5e7211beb6f1c6b5e841f2132f2c180a5de9c78f1537b380588bca4065b7257bf70ea4cb197e909f

  • C:\boot.ini

    Filesize

    78B

    MD5

    dea0a4576217d29ba0642cc9b7553960

    SHA1

    e9443f50038d6ae759b85286dad3d4b367542f45

    SHA256

    59cd24365246d4dbf59643850323904d5b65c33b2b81b1bf9bd8ca07816ae77a

    SHA512

    5eae93d334b19451c8b8765857e0946c7503aea90f83a1d325bbe00de4c8661c9dce5d7394e5b833762ac34d0927e6949afd51608b4659fb20fb690300d93420

  • C:\mkldr

    Filesize

    212KB

    MD5

    de632df1f44b107d36cf3451d235ed3d

    SHA1

    cbb5154038adab656f74698579bef8014cb015a1

    SHA256

    195758963684e8aa635124f3a94d29b9fe537af164aa478375350901490e7e4f

    SHA512

    85d1b6d2242337e86f02284468281723093998277afbdbf13c36a13abe28c2ceebb3be7362c9d5e61edf65157d3b79cbd20f10bc5e64d8ead7d28683cedfe654

  • F:\AutoRun.inf

    Filesize

    69B

    MD5

    8e1598a9715ef3e68448813df8e82f4a

    SHA1

    020e696906646cffb4f5ef920e460cc603bdc867

    SHA256

    68cf63cd67b684da2fd0964b105bc4049dfd8723624deecabb3acc6059539cba

    SHA512

    5d31ac69962e83774011843eda18ac399a2d4cba82b247e60ea9f9b3327e4ca637d1ee1f0250beab1a5fbf79e35d447b89eb3de75377f0f5989e597a36a92884

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • \Windows\inf\svchost.exe

    Filesize

    2.5MB

    MD5

    d8af704b6de9cd7b2bd4d84cb29e8caa

    SHA1

    d400409c90f82f6593ab50c924c6ad9a1a0d5b68

    SHA256

    27e5d6f6db433b53db3c535538512b27b4aec7d2af13996a9118aef4e195e8b4

    SHA512

    56efaa823980496547b6cb33903a746c57aa3628c626b321ecf61a97a1e3351843009b685aebb09317449f941799a823b5f6af6d959da0287760e5d4cdd7780d

  • memory/1672-7-0x0000000003A90000-0x0000000003AA0000-memory.dmp

    Filesize

    64KB

  • memory/2280-17-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2280-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2280-18-0x0000000000400000-0x0000000000675000-memory.dmp

    Filesize

    2.5MB

  • memory/2280-1-0x0000000000400000-0x0000000000675000-memory.dmp

    Filesize

    2.5MB

  • memory/2280-6-0x0000000000460000-0x0000000000464000-memory.dmp

    Filesize

    16KB

  • memory/2736-22-0x0000000002560000-0x00000000027D5000-memory.dmp

    Filesize

    2.5MB

  • memory/2960-56-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-46-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-67-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-87-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-95-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-26-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-106-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2960-117-0x0000000000400000-0x0000000000675000-memory.dmp

    Filesize

    2.5MB

  • memory/2960-118-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.