floxif | 842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe
Size

665KB
MD5

3be9298c03c1f4b357278d4c2c77fa50
SHA1

3d8807247523daa39f8a94974229021a380eab92
SHA256

842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914d
SHA512

635c73c9adb7645d92e0f22228ca454778f2d4f6eb6f57f612683dc2b3b173c06a540b76c04ccea1c586594b8092f74bf14bb6f98285495baa23d54c96e3468f
SSDEEP

12288:2NdwL7zTAGmmvNOFvXhifnUhhrBoZ5p+cKdxFu2BYGqA8kKEo3+V:UdwvPAGmgevXRhrBu/GO2BYG38kKN+V

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000e00000001434d-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000e00000001434d-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e00000001434d-1.dat	upx
behavioral1/memory/1840-3-0x0000000010000000-0x000000001002E000-memory.dmp	upx
behavioral1/memory/1840-5-0x0000000010000000-0x000000001002E000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	1840	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1636	1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe	31
PID 1840 wrote to memory of 1636	1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe	31
PID 1840 wrote to memory of 1636	1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe	31
PID 1840 wrote to memory of 1636	1840	842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe	31

C:\Users\Admin\AppData\Local\Temp\842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe
"C:\Users\Admin\AppData\Local\Temp\842a7080a6ac78c3b7734e8fd51c7dd7299842641f08f8cc9b018bf97673914dN.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 176
  2⤵
  - Program crash
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\System\symsrv.dll

Filesize
65KB

MD5
866a64ede2ff589f2c06127afb1a46a9

SHA1
b1571f1029c8d07cfa0032fc3db742e60ebd9e54

SHA256
dc6e293c583ba5e2864a2d312f3f8de9dfc4b503216821db1db4e2929a8f25d5

SHA512
c9316dbe29f9d2180b3bf9ecb0d0711dc7fb443c4947fe6362ddef02d62f8143bdea2855a34d05e6a473d4d2e05cd40d5d4c10491a444d3c34ff21bf6b7dc4af

Download Submit
memory/1840-3-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1840-5-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download