Overview

overview

10

Static

static

5

a142a66521...e9.exe

windows7-x64

a142a66521...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 04:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe

  • Size

    3.8MB

  • MD5

    8eca649f7af62e1aec1c09064da100df

  • SHA1

    f20108f98b2a2bfecb8c365da01d08d71c00a3dc

  • SHA256

    a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9

  • SHA512

    1a77e97f1f18e9f9f6a212eb34951feb355aa6f47b071b6a6a10d82e2bb9e1545acadc5fccb2f118bd66b0eeb90c5be8f72e5cb1a834225203a2f85dc5a93f3a

  • SSDEEP

    49152:VwYCFEJz3sKcA1990FW6drnq9QF/Fs454vn6puWV355FXw/+euWV355FXw/+AuW0:VwYzenA1990FW6drnq9QpFXmv8k

Score
10/10
floxifbackdoordiscoveryexploittrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe
    "C:\Users\Admin\AppData\Local\Temp\a142a6652117f4a2e01caaaf8a273384494292bb98efd2524b36b119201477e9.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1016
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1188
    • C:\Windows\system32\cmd.exe
      cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\System32\cscript.exe
        C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
        3⤵
          PID:2116
      • C:\Windows\system32\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
          3⤵
            PID:2216
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "compact /u \\?\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\YQXUO"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\compact.exe
            compact /u \\?\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\YQXUO
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1200
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1304
          • C:\bootsect.exe
            C:\bootsect.exe /nt60 SYS /force
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1552
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "shutdown -r -t 0"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:920
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown -r -t 0
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:2236
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:2372

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Acer.XRM-MS
            Filesize

            2KB

            MD5

            f25832af6a684360950dbb15589de34a

            SHA1

            17ff1d21005c1695ae3dcbdc3435017c895fff5d

            SHA256

            266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

            SHA512

            e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\A1D26E2\87598D8824.tmp
            Filesize

            3.7MB

            MD5

            e7be2c033c6ab0ba199b4717f98bc947

            SHA1

            6c964ec7100ad55922e186a157a445825998cfa4

            SHA256

            27c81c938edf0a2a06d8d80de7e852a61d8ff89ff17ab69b7818858edaa3c446

            SHA512

            ebec9d725a3c368329fb7c02eafefd69a412e2c871f693bfbdbf4ec5193ced4cb95e6de31e6e5b0ed56215b7bab7d6f851a2a3174314bec63204201848031b7a

            Download Submit

          • C:\bootsect.exe
            Filesize

            95KB

            MD5

            52c2c33b79c5116d1fe632ff51b0fe0e

            SHA1

            ab700bd1623b6fe6da84f3239398bb9698f00f53

            SHA256

            e8116cc2b5516281acffbe7e910801c900d1020fa718e3c8b5cc4b72cd74994e

            SHA512

            5deead4d61711cc3a7f76de57fc9db06d900952702198073a757cffb8b746c033b28ff7c63db2dd2bb0a14a2b285028135cc30c6828f9e5673292774b5ed8b0d

            Download Submit

          • \??\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\YQXUO
            Filesize

            417KB

            MD5

            1dcd727090a0b2b17d3d13a805e7784d

            SHA1

            3501f8b4b60fb54491eee51c7d4fe678d9672089

            SHA256

            cd2b1d1de9e821ab08f3abed405ae23e5c091f31816c0360f44a4901595ca069

            SHA512

            c5438ff7e68add8a7e2c14728d714f0343291f9408abb97426208210088fe52c1a31dfa7f89a2ce5796dfa0b2dec62504716bf6515fc4b64a121cd1077519ba4

            Download Submit

          • \Program Files\Common Files\System\symsrv.dll
            Filesize

            67KB

            MD5

            7574cf2c64f35161ab1292e2f532aabf

            SHA1

            14ba3fa927a06224dfe587014299e834def4644f

            SHA256

            de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

            SHA512

            4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

            Download Submit

          • memory/1552-97-0x0000000001000000-0x000000000101B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2084-37-0x0000000000710000-0x0000000000721000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2084-86-0x0000000010000000-0x0000000010030000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2084-54-0x00000000006F0000-0x0000000000700000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2084-53-0x0000000003140000-0x00000000032D8000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2084-0-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2084-29-0x00000000006C0000-0x00000000006E1000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2084-45-0x0000000000630000-0x0000000000640000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2084-22-0x00000000006A0000-0x00000000006B2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2084-85-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2084-62-0x0000000000730000-0x0000000000750000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2084-87-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2084-88-0x0000000010000000-0x0000000010030000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2084-16-0x00000000003F0000-0x0000000000400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2084-8-0x0000000000680000-0x0000000000693000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2084-4-0x0000000010000000-0x0000000010030000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2084-102-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2084-103-0x0000000010000000-0x0000000010030000-memory.dmp

            Filesize

            192KB

            Download