floxif | 7d1e47a5ad6dbb251c349247de9d6c5b4d3da438c49978586d5082370efa0bc1

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
Size

5.1MB
MD5

280a7fda0c2634bf6263538b0c977e19
SHA1

0643bb8b25ad4f1d10b730df001c38050bff0a2e
SHA256

7d1e47a5ad6dbb251c349247de9d6c5b4d3da438c49978586d5082370efa0bc1
SHA512

9b6216930f8cf1df9032a8a6db663130d1793eec641a8fb36eb949ae67f7119bcef25a81bc1f1f20b23adbf65601f8519e79a2f256a564598716f4b19743c61b
SSDEEP

98304:+mY2F/p8vn19RXuJkHrBY2h/8d6eVU1k1UW2/8RG4O3VUa5CrNBDNUMqmCgy8VnH:+mY2Npc/Re6HHh/8cEUS1h2/uG4O3urt

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000012117-1.dat	acprotect
behavioral1/files/0x0006000000015e4f-80.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2436	launch_.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
2436	launch_.exe
2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
2436	launch_.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0007000000012117-1.dat	upx
behavioral1/files/0x0006000000015e4f-80.dat	upx
behavioral1/memory/2436-82-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2736-108-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
2436	launch_.exe
2436	launch_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
2436	launch_.exe
2436	launch_.exe
2436	launch_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28
PID 2736 wrote to memory of 2436	2736	2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\launch_temp_0\launch_.exe
  "C:\Users\Admin\AppData\Local\Temp\launch_temp_0\launch_.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\2024-12-18_280a7fda0c2634bf6263538b0c977e19_floxif_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Buttons\ar2_eng_btn.btn

Filesize
4KB

MD5
77cae4ccaaea133397a7d5ea95cc9b16

SHA1
b65fb59bd2b5c4536eff93f290ac2a2e56aab555

SHA256
40db37058ca9a0eec3eba7e0244a433971eeb49c64c8268d6072b80f5d56fd68

SHA512
a66d1b71fd7572c7098b08bd49d6c2b2c59fc46213dcb3b700ca023af8395ecee1d0beac15a98ab0d02d527a9d357b733a8701c8a0d56a2659d559f736a0505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Buttons\cleanup.btn

Filesize
3KB

MD5
e72319bb5e36b7f349daac5f1726478c

SHA1
6ead0eecb978eb2a7b88153d203b892405c815cf

SHA256
991da6aa3096a7cc4e8db4c716f66aa6864cf5fcfe433e2d3f6e5809ecb1ad22

SHA512
351f4324d44004ac84b3f8cadd3e052d3a39a63c4a0a4521d816e0efb9d6258c1da3532d5ea56db51b206ce3c2471d911e4c7b6d5ef5c875b972fbef013bcdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Buttons\configreset.btn

Filesize
4KB

MD5
05cd5f5a774ed03bec82b95806284228

SHA1
98c031bf3c14e0df09cc31595ce3fad2a2e2c610

SHA256
63c791962537863c60f5c5a4d7238cdfb6d3c6ecf6e2f35e359446da44dbd4b8

SHA512
6585a51d1b9e2d7cbc8417091298ee9a5a695fc43727c66605d795986ca7f53d8d2fcf15b1a1be7f2bf9d562eb273b97f94ddfd9a95f6bae6c0c7d90c58bd932

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Buttons\multiplayer.btn

Filesize
4KB

MD5
72beedd21c53fed965e33030dbefd542

SHA1
d51389603465f3c7d7eee6724f003e815022b6ed

SHA256
f8b2d60059b0f04f06e7366677df8d44866c947f9a12946cce13b31b40490bfe

SHA512
37cf7012630ad91c3af84964f1d1fbc081770a82ec7eb5d57cae82cef6d0b25a303464fb3a7fee513a2a69bb5d2b1f164cfd01d3430b99ccdec58315f0df8121

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Buttons\yr_eng_btn.btn

Filesize
5KB

MD5
6dfe5dbb0d9878991ef64f4f9773260d

SHA1
f24395888782c51a0ba7db358008396dacffa5dc

SHA256
d5e323b12f65d173cd86d1e94d44a492a7a649d3f6fd3646724608b10f813e5d

SHA512
2f7ba76e07504a12e9d9316b6099e9ee8bed30707dfab15f5fb2a00bcae0cd29ada916c82a392ccfc0c428a9a8e54472e8d742efa46deb8f722ba04646d03daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Icons\Icon.ico

Filesize
14KB

MD5
70b70c2dc30119140c6e62ff0e6d2545

SHA1
f766049ac3452231aeac17ea868032424bea2100

SHA256
11e6c8e0aded95a7a794bc2374ead6fc7431cc567c406795655bbfea54c9cfe1

SHA512
3696057f8c4258b7c461ab607ec5b7f171ec78f55b61a3941515d29a8b722c8f23990e87a38fe191d88b6bd12c490f3a5f6a4b886e9e25351439fcfc29c82f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Images\CnCRA2_R2PLauncher_ENG.jpg

Filesize
117KB

MD5
d3900a5460133249b28cb50f865d6dc5

SHA1
989986e9f5cb796a17004f4abfe5d2ecbcac8c1d

SHA256
332854594368c63650be9883f56e7b3c27e806c53ed2bc7454b1c1cb0e7e3d70

SHA512
b44a67c52e9f2b8e7331b6c3253f4d7a7d7cf5c1f0a7ee6d1b373b04d24c296ec0fb39fed667e3cebc2aa3fabf8a6bd0a32c010921a83b2c51c1ccfc8f6e4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Images\ger.jpg

Filesize
1KB

MD5
0865edc79be2e94ee8e45d3de2123812

SHA1
a567e82b67250413ad01bce57a5364d07f6454f0

SHA256
782a4e49b1cb0242f4de756124ef6d80789d3289b858cc6430cdf1036794b64b

SHA512
9a501d2ecb5e3398088a8550f0841ece60d3ddc2570c13dadd208eea8acd3670a00604c6f2d1a7993adad66b7813715aab18f7d88afc8e68afdb44ee58cfbbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\Plugins\GlobalPaths\GlobalPaths.lmd

Filesize
52KB

MD5
6f5af3b746242834c0ee4f4c9edfeb20

SHA1
b07beaf0b420396e14b87a92135389e89d11c446

SHA256
0d660657f4af91a04cb9f28bf6221c59e8c1a057855e5e6074a8d38a33c18199

SHA512
e051fe69a1625127249ba2df08822f1ed5f70384187031f987441beaee94fa956f01151c1034b9b9d1450b267127e78a4a10d24bdf7cb98c83e7e2534283eec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\Launcher\launch_.dll

Filesize
1.5MB

MD5
b91c556aa307256588845a849a1fe212

SHA1
0cd04f20d4b60016a9c3505bcb8aea9e1d0bf95f

SHA256
8da6ae42832d0abcbc529ab4b7456ab1d668ee6fe38b40b14a542ceecb7718e2

SHA512
e627c772226df96ed8197ebf2e1770dc37da36bf8ee27a48335df4460901a6f0fe663113bf3873e5db4d03e1e65ade8ab3680e36849788c19a4d5bb08cac3c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch_temp_0\lua5.1.dll

Filesize
327KB

MD5
50f1d9f2093914c7712068608f3d66f2

SHA1
c38c655526b9ba929f01259cd35abb65744448f0

SHA256
ebeb211dfe4fce993d63206b2e3f284b569274db4730a8ee341ee81eccac9a5f

SHA512
07841d260770288f34b3e6413f6044742d82794d0812d9d58ebb2b881f935ee7661c94acddcf3a25817a98168789de0e0e0a98baaddbac2ec097a3efdd22c9ac

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\launch_temp_0\launch_.exe

Filesize
5.0MB

MD5
20cf5a91cfd5d4a183550ca9046572ea

SHA1
17c6d7304014c692125eebd346f99f82cc169725

SHA256
4b212d180b4821eaad6a429f94dd205006b18346373b7c75ab9522a488e20c64

SHA512
5ee582f4847620c2e943cfeb26a44e89fb6ae8d124cbacc10193e6a51f1f49648a91ff06d11959cf482276336280f34fe2cbb4aac1b1a021a583c544b9385827

Download Submit
\Users\Admin\AppData\Local\Temp\launch_temp_0\lua5.1.dll.tmp

Filesize
403KB

MD5
7fee6efc5c3c5e467e2ac3ab350935bf

SHA1
f9944de2da22e4e873513aa7801a8726474f923d

SHA256
5bf552146262d86ac21a16bce24fab4cc91413ec6ad36596b2ac5922c3c1828e

SHA512
adc9a327e221f014e73f495b2f2518d5e608c28298b04029d75f0b32f9933384bbc9a345d116d8ae49583a85c0a9d9ff12f931f320ab01802d339649bfb5d173

Download Submit
memory/2436-82-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2436-93-0x0000000074650000-0x00000000746A4000-memory.dmp

Filesize
336KB

Download
memory/2736-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2736-5-0x000000000041C000-0x000000000041F000-memory.dmp

Filesize
12KB

Download
memory/2736-108-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download