floxif | c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ff

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
Size

2.1MB
MD5

fda306175c1cb17a4e0d0b1dee469380
SHA1

d22a8a50d1386291d84b0f59563738dca11990ce
SHA256

c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ff
SHA512

bc7e733df02bb474f9c683e30f1731c9896f247e581f202faece66c0a4249876f47eafd009769ae40970c26f31b9efb152e4a4d75556c5ef12e3bb1a6f99601d
SSDEEP

49152:YOIzHTmaRFGjLqI05xooWsxlZw7xLJ15hPDyZNBim/8HTFc:YOIzzmaRFGjLavW0wNLH5t2bA1HTC

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a000000012262-2.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012262-2.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
1572	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
1572	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
1572	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
1572	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/files/0x000a000000012262-2.dat	upx
behavioral1/memory/2064-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1572-127-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1572-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1572-152-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2064-154-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2064-160-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2064-159-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
Token: SeDebugPrivilege	1572	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1572	2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe	31
PID 2064 wrote to memory of 1572	2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe	31
PID 2064 wrote to memory of 1572	2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe	31
PID 2064 wrote to memory of 1572	2064	c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe	31

C:\Users\Admin\AppData\Local\Temp\c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
"C:\Users\Admin\AppData\Local\Temp\c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe
  "C:\Users\Admin\AppData\Local\Temp\c07053900da3c1b32dd3629ce03ae2e6c8a10be1e8f6c2dc434f6b7a6d61e7ffN.exe" -sfxwaitall:0 "EasyBCDPortable.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCDPortable.exe

Filesize
205KB

MD5
0e8d64ec3c76fee99b3a1428cde987db

SHA1
992f6e92db5b494fdc87a321eade7f0f3ef6323f

SHA256
bc7c905bab5d03ea91644ab9eb744fce3e0e060db80a46a71c18addad53aee17

SHA512
195e65709850d813a29224e7e71b533aca4ad5fc1769688b0ec525b704811d8d1fdb3f8b2ff19ac22f37421c06cd5c908759a31c963aa5341382cd17da8b4cd4

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\EasyBCD.exe

Filesize
965KB

MD5
e478c92160a3c73c77cdc9f515dfd8b0

SHA1
f0fa230f8c26bcbddc3b68f38ce0793d46c0ca2b

SHA256
6a6e16c176004128b918ef3f9ecf1d51d828e6099fba6542b5ac6abdb67c1030

SHA512
3682b4f5bc31cd056c3f552da657309093e35b4757c073a223385c04765f622ce9ee000fb5dbc950c68ad7913ffdcc831ef65bd5ed7241f6179ea375b17be822

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\NeoSmart.Localization.dll

Filesize
25KB

MD5
ad0a59ae87d4ba106e965c62f0bc3d88

SHA1
5b39b6fd95b5bee72a17d79a1f4958256a5c4149

SHA256
3a56005b2efb34620019ef432fe90eeb63726fc78b37be841f25c2aed82eb1db

SHA512
562b2cbd3fdbbb71dee9fdb68bd24b9bbf27beab93de338a616baec837910f31ad3b13d75564d45a1cca26e1150517b47d0b3984bae7d08675593bde22bbea98

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\Newtonsoft.Json.dll

Filesize
472KB

MD5
0953851089821550ef013b487da3915a

SHA1
7b4dfb7d547404fb6f3cc561d9475209aa2c6172

SHA256
4a56ef352f84ad19c1b4486c7c9e64fef9a67c464c62e51bababa79cd2d89551

SHA512
4a41a97527604042e1d28e2869aac1dea79da372ffc7e211415e45e4212a853971731cf4fc9595d81c4f4b824f8e7441c2ad6f2641d053cd783b264c83c29e86

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\BootGrabber.exe

Filesize
183KB

MD5
2e12b37d32c8bcf8920f5ebb6d24a6b9

SHA1
7fcd9e4ebfa2c400d6340133440c087e56a3c9e6

SHA256
f9842333f0b562b4ab5349a09fc173b0b2971c1f600502c4284781c78a735d7e

SHA512
aa82f1ed984174a1b5a610eb28a422da6172dd027678d9d4b7a9714e85e050616403ad294a005ad1ab39032758a4d2fd8d498b1241dedda8c91698ffc7d3c527

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\NST Downloader.exe

Filesize
18KB

MD5
a5b3ea9ee11e9752417159ba1c618b95

SHA1
7f336b35f3a2a9d0a1c9f47227b27545aa7ead34

SHA256
b92b2fa8916c78ccffef058d3be900c840cb996028d373ba55985fd1d1dddac8

SHA512
cebbec335baae8551c901106d325c2853891a27585ed47f1bbae2f73cb62f1af93f1534ade8f85e6f345141d2475e08ad75a5e1adb06f46ba78dd6f56f5a0953

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\NetTest.exe

Filesize
11KB

MD5
3f3be08145d962f3146f9632ca1ec910

SHA1
50903bdb01df135ac4492a2f004a22da757e1170

SHA256
c35b26223b07d81e9ab638b52e5344d33e10df874457a7b1cfbda6f591a07c7f

SHA512
5bdea94a15a2514f33728f956cd89fdc6d9cd7cf9d0cb25ca85092494323cc1b21b7610792c3a0090c9835541a55eb1103e13caba8d2fd30c6bd1b8566696ef1

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\UtfRedirect.exe

Filesize
189KB

MD5
5b40791899fa37507e7c08bc3d9f5294

SHA1
cb98852ec22251b5124507427d05b3dfe7ec53a7

SHA256
5a87d9485f6e13ee2c3ba4ac289a3e237d17a43ed428b8a5bd5f00fc4800d1ac

SHA512
d2c0de00943d7e9961571a8e798688e46a8e7267086e15abaae8abca0fa7aedd02d5df3c5eb3dc6cfab0c5982694129bf5b9c0cb5d8e978fec0d76d54e441390

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bcdboot.exe

Filesize
142KB

MD5
9f9e397630a146e875735f2f42339e6b

SHA1
2456a3bf83b095a31dd338decad7672a5472fceb

SHA256
9898f537b8d3097a05b42f42523cd66fca7c020e8083edbe461e6d9a12dd168e

SHA512
1e149f89800670c9564efa9406a09b513439209760da0d425fb17a68446d993048aefa5962b209c9ae438be8452ad88e767810fdacd755dd0ce826e973193767

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bcdedit.exe

Filesize
317KB

MD5
a60cbaea0f8ac802d21c0cc7bc2589be

SHA1
f4c1f4b7f340968ba9c360f3fc1ef783a8bc7b2a

SHA256
8bf1b71182fed18d6b4112bdc4d496800b5bf6681de4c4f6536ba67378f38a12

SHA512
24ab704e214758b9318a333bb3a466a05e4218fbef70752b266d782e5fe89de19db8e5d5a584245fcc6aaf32ea99a0764583b3cc56299e99a2b7cf6ec42c2ccb

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\bootsect.exe

Filesize
107KB

MD5
da39bba4267ec54de12374bfd88d0df4

SHA1
05b134624cde95176f76378e8c22c4b7ef7b8a7e

SHA256
f15e3c9a8f73c6dc4ea8f0a174915b6edca06c75332eec8a28e7a4b347276d4d

SHA512
c605422c8a09d20a11be7c8e3066995f308e58070f7c6b8a8e705c13360f1ec13b6eaecff3525bff7d2cd97e4b5eacb220e26b496baf8aeb57ba56bc728d90a3

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag-kernel.dll

Filesize
46KB

MD5
f72f526b334a578b8fbdc6a20b9e2e4e

SHA1
e89977dbd6e3b21016764ea39e0bfd6c93a02f70

SHA256
0233af69b35decefdc7bb9ab7c8732434ebd4880c3b18085e6116f28431e3d4b

SHA512
ec25fa006943b411b20a2c9ca6824412a47615a62446d0aacf37fdbac48cf785f93008cae69697453efc94785ccdeef06c7292da625a88146369113d95bb3a0e

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag.dll

Filesize
8KB

MD5
cea23b2e0c8eb462edfa442b1ccf4cb7

SHA1
fcf8357e16d18c723e21da92d8a798c4725ebe6d

SHA256
f62d78f847f8fb37992d4024ece99d6c82dd3c83fca04527d2a06f6af3fb4bff

SHA512
8d83a47ba988cf582f3abe0d4f53b9db9ba4e9da752767deecad9b1821a848b15f94395ec378014cab47156ea6457a3d6510ff4c6994f409b608cf2b0888bd76

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\udefrag.exe

Filesize
24KB

MD5
b28589bde044417287d73eac95142958

SHA1
dfd7e1f7d22c4fb7df40a6dcf05fd2fbe0273900

SHA256
0863be7c3a6d3ff526e2c333f605e6fc4ed96bf71dd8fd8f8b81489f721ffc52

SHA512
d283a4852926160d8ae360089f378b977c150f162edaf6bbe60a06007c814e52436174de7d96a01cce66403a5c9a91db063fb825593b2858b4cf1dfb962f79a9

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\App\EasyBCD\bin\zenwinx.dll

Filesize
46KB

MD5
bf9f6c9d161e6dc291632f67bb416e2c

SHA1
9578cf0f91565a70b5893c5ef1400d694b7b6afa

SHA256
66c50953b5c89078e326bbe2eb19307e8d696ffaa8cad1c6123d7a750128d18f

SHA512
09799dfd71ea229c4e82f31acef582529160289f49838ebdcef6a5f6b3a6e536411c87f9c007535c83a27f68715a9abd9628a2a8291cd8693e3edcc67093e451

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\App\EasyBCD\bin\udefrag-kernel.dll.tmp

Filesize
122KB

MD5
21fff5456d9aa6455fce2f5dc2d912d5

SHA1
177338453c72322370c28a6ddbd9763c692983ce

SHA256
4eb5586c6ffe7dbd5ad055d60458e45a3ea8ca95ba2c727be754161345556316

SHA512
dec3d7b7558d68333df715379b17a18e02b2ad46cc052886ae8f858b4eb173bb949d6facca8c918be25c2d086d0d863be86d4f7503bf8b8fc5edccf95f9bacd0

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCDPortable.exe.tmp

Filesize
281KB

MD5
78e4959fb9fbcb3bd530136040d7a0c7

SHA1
3c9cd85ceb71b75cfe191ac9b02ffefdbba79ead

SHA256
c74e7ab80813de7225e961b1dbfd9c8031b3def453f5f44eefd460dea7519b24

SHA512
4ae84f72abb4c031ba0a368a74e545a3d0d73dbcd7fe5aeb7c50a59d89c95be435c06f31e0e36e40920ab66d4ec3c8fa96633c3903628e04e81b90f970bdf700

Download Submit
memory/1572-153-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1572-127-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1572-152-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2064-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2064-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2064-154-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2064-160-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2064-159-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2064-161-0x00000000027E0000-0x0000000002829000-memory.dmp

Filesize
292KB

Download