Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 16:24

General

  • Target

    2024-12-18_9fe8a0ce37f15c8067e7c373abca9c0d_bkransomware_floxif_karagany.exe

  • Size

    149KB

  • MD5

    9fe8a0ce37f15c8067e7c373abca9c0d

  • SHA1

    4eb5df90e777868e9667b45410b7a13e5e4cfb4d

  • SHA256

    3b17109a19b188efed217ebe98fc569d9b9b13d3ad4c7e20f7948767fa0cc7ca

  • SHA512

    03e0da529fe58392e5adf22ad6942be0cb31e01950b6eed1aaebaf8b806ddea0e26ac95a328e55917055ce7f13045af6aa29c8d46c6d3ac20de1ba6a6496e6f7

  • SSDEEP

    3072:bv1/G5K8qL1C6p2lQBV+UdE+rECWp7hK8aqv:D138CRBV+UdvrEFp7hKC

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-18_9fe8a0ce37f15c8067e7c373abca9c0d_bkransomware_floxif_karagany.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-18_9fe8a0ce37f15c8067e7c373abca9c0d_bkransomware_floxif_karagany.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • memory/2876-3-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2876-5-0x00000000010F0000-0x0000000001108000-memory.dmp

    Filesize

    96KB

  • memory/2876-6-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.