Overview

overview

10

Static

static

3

9f39336710...3N.exe

windows7-x64

10

9f39336710...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f39336710004f6b77998c0c59c0579296cfa06da70ddce3b13304c53630f613N.exe

  • Size

    5.8MB

  • MD5

    3f2b7c6196dbef9e23845b79b6136960

  • SHA1

    906231fc255a31a525f416f9875d57a4aefc73af

  • SHA256

    9f39336710004f6b77998c0c59c0579296cfa06da70ddce3b13304c53630f613

  • SHA512

    77c69cec225cdfc36db3d33cf78d35c78ab29e84c09b21a6e19b769237932d75c339708f68575ea83d09632ee17394cef878c7a3f5900e03425b4ad2c2c07fb0

  • SSDEEP

    98304:uiogTu09sIlzmYDgoP49p18frP3wbzWFimaI7dlosi:uiNsIlzmmgKgbzWFimaI7dlRi

Score
10/10
floxifadwarebackdoordiscoverypersistencephishingspywarestealertrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • A potential corporate email address has been identified in the URL: [email protected]
    phishing
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f39336710004f6b77998c0c59c0579296cfa06da70ddce3b13304c53630f613N.exe
    "C:\Users\Admin\AppData\Local\Temp\9f39336710004f6b77998c0c59c0579296cfa06da70ddce3b13304c53630f613N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1532
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.0.55256793\1883973236" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eb9affb-e2a6-4b1d-8bc3-fdcb76987429} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 1372 10ff4458 gpu
          4⤵
            PID:1036
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.1.516214799\1940113598" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0d7f13b-c193-4d00-858c-5721745de22b} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 1548 eefc558 socket
            4⤵
              PID:2340
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.2.514082863\282838196" -childID 1 -isForBrowser -prefsHandle 824 -prefMapHandle 1832 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51c064ae-37a6-424c-9a60-21a33f0f2eb0} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 2136 1a0da258 tab
              4⤵
                PID:2252
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.3.1671935790\1265881910" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f11589b-4d0c-4ef4-a7f7-289a4a7b0a71} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 2648 e62858 tab
                4⤵
                  PID:1596
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.4.2051860547\1712423806" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3652 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d98c7d71-a429-4b03-8389-4b3054623840} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 3456 1e8fc958 tab
                  4⤵
                    PID:2160
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.5.275138905\8938024" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3768 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5573da2-a5c3-4a3d-a012-7ffe54692a35} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 3752 1edcac58 tab
                    4⤵
                      PID:2072
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.6.883020900\2001476968" -childID 5 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c450be9-2189-42a2-bf66-d657095df000} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 3916 1edcb858 tab
                      4⤵
                        PID:1744
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2468.7.1252098650\1694679178" -childID 6 -isForBrowser -prefsHandle 1132 -prefMapHandle 1828 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26207105-e289-4d44-9dbc-1998b7b76a29} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" 3928 20736f58 tab
                        4⤵
                          PID:3016
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2332
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:3044
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1004
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:672

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Common Files\System\symsrv.dll.000
                    Filesize

                    175B

                    MD5

                    1130c911bf5db4b8f7cf9b6f4b457623

                    SHA1

                    48e734c4bc1a8b5399bff4954e54b268bde9d54c

                    SHA256

                    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

                    SHA512

                    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    28KB

                    MD5

                    e045ce78181763881be9e8a540659517

                    SHA1

                    802c7d3a1ad08e8272f89b0baf5e46a97d8164e6

                    SHA256

                    3d286322735f5003bc997f87f4f3f0266ab5128238ccb2e9ec338db230763f5c

                    SHA512

                    c9e16abb18fcdd6a63b6be9cf59fad7726ebc57dc0c56ad2dcc1dee364f4c56719f52f15f8c9c0a55106fd783523625d5f616c7062833566c579a01c2746df9f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    15KB

                    MD5

                    96c542dec016d9ec1ecc4dddfcbaac66

                    SHA1

                    6199f7648bb744efa58acf7b96fee85d938389e4

                    SHA256

                    7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                    SHA512

                    cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    dcf42e3b976285b62db50386d3f400a1

                    SHA1

                    63f8d0a83636564d38cc58e3038730c511401c2d

                    SHA256

                    f2f4d5b7232f541fa060eeefb02b6ef9d9149d6fbe6ea8edf09a743601b64b93

                    SHA512

                    56fc0bef5e6bfd9cc9f88ab07eb604ef513c90f5ff39f89d7ceb5718544796715bcaa053f1020641076d341e29e198721dde786aaf52d30cfaac0a3475f2718a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    2dab93034bda69f9678ef7624692be29

                    SHA1

                    a23de5efd13f76473e6d1b23a4353fe3a8d4bea2

                    SHA256

                    2f013cc9e38af9ea12c90bfa27b3e3433b21941287040b3aaac1169cd1dc71f4

                    SHA512

                    2d07eddc1a9dbdfd912fec691196360c2b40f65fec1fb8c9b68bc96aacb3aca4e9e3446889132f0ca1f9d2587c8a8aa673bb78c2b5e5bc0c6ad5c5093fff33aa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\2cb19460-b315-41ef-b99c-96807ade8dfc
                    Filesize

                    745B

                    MD5

                    25658a21f76e1b910bfa9e6205a51bea

                    SHA1

                    aa7b011628c1abe9678a54894f37de7eb32f352c

                    SHA256

                    3a07f5789e1656b2e8c90a3bd958c4563ffb3002a161742f53ad2155b5446bd9

                    SHA512

                    f1b6e20b67556ba27dba68902ef453af1d8658c41592bbc1b266d3839a7bce97a3b1813b1242980be8ca55965e78ee0f6c0998f4dc12872ed111f5dffa081a29

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\2e8be340-751a-4edd-8704-094729a7fc37
                    Filesize

                    12KB

                    MD5

                    25cba8e81657c7487a66b1292ab90aff

                    SHA1

                    3a5a9d3681236a05cf2008bc4159d693604279f5

                    SHA256

                    a7f07c19669def5bf96167280cd02388f37202b124a223a7cdac0d69f7b0cabd

                    SHA512

                    9f1639a2b0b08a4af04d35e3200ca4642c3a153f9ff7bb68dff540bf1b0b02ffbe7e301417288e1f0602a1821ef3bc0f2538e4fb9c8d1362882ea811b4d2cdf7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    ff65d016a39364260af14778b7032608

                    SHA1

                    01b4c89990254931444a6e328e83c95889be86ad

                    SHA256

                    e291fbffa4f47f4d57baa3273badc789216fa6621ada9935802bbdda8022214a

                    SHA512

                    dbe55cace5faf7d21b71dddbf9b45e0ba4a2a6449887bd15fa1fde598e07f47abc993c72ae8dcd4a28f0a4179a6ba6bf94dbccf21631ed1fcd38a85475194fac

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    5b1a868f74bc0b937bc5a82f07d4cc32

                    SHA1

                    c97dd727c6f4bc1346934e67458c8ccd220d7f44

                    SHA256

                    f51c5a9ad68edc8b8a34cf28fd84611cf32f03bd40a51ea15c9327c9c1f1bb4c

                    SHA512

                    4a9e9572748f45cb52b86ac832989a5d2752015d8fde0df0fd6d1a1db62d9ad09fe88dc391152444a533c798051e0a7f1c9adf4d8e716dc52f49da2f5a3c1688

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    89cbf65dfb45a9f5b27304db9fea0b60

                    SHA1

                    b6f15773e17410236a7a999599363aebd6e9cd5e

                    SHA256

                    b522e3e4cd04fe5490e96f63207208f219c9acaa69f5cb2dc85e5b9091a29273

                    SHA512

                    a5933e907f440c546a6810022c157688a053436de2716f7b0889bc571ec5700a2023342e466e443299068c965843783aeca5696cc60e06b5c99c606410302baf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    4KB

                    MD5

                    c41cfc9221f3c7067dee4da3c15b3e55

                    SHA1

                    8cb7f76f115e6e7833fac37d90be740adadd2680

                    SHA256

                    11f2a26a8f5bec60b262410a5eb9c94a6a9f1220b479784c0e9c7252e1aaba81

                    SHA512

                    efd5b8d1d90886e84f612721bedb62d41ceaa3d9b0b127bee87fe690475a3885bd94fd5fa8b64337995b98090ea173e832f6faf72ac87dec7516ac6ad19ee4df

                    Download Submit

                  • \Program Files\Common Files\System\symsrv.dll
                    Filesize

                    67KB

                    MD5

                    7574cf2c64f35161ab1292e2f532aabf

                    SHA1

                    14ba3fa927a06224dfe587014299e834def4644f

                    SHA256

                    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

                    SHA512

                    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

                    Download Submit

                  • \Program Files\Mozilla Firefox\maintenanceservice_installer.exe.tmp
                    Filesize

                    261KB

                    MD5

                    514162ff77bbb1d7e5beb98e82bf6502

                    SHA1

                    1b7399775030cfbc2874e829bb259c86b947d68a

                    SHA256

                    c047785da2b5823c64b4fcaceef9e8f778f5ecf6dd9c55d756de743eb11c93d3

                    SHA512

                    0451bcd8139a01493db0427bdb4ea1681a5cb59d0ce290847cb1cda3f897025a248756a0bc18bd1cd3a2a00a7069db4f668c6624321accd18c9d507ca246c34c

                    Download Submit

                  • \Program Files\Mozilla Firefox\uninstall\helper.exe.tmp
                    Filesize

                    1.3MB

                    MD5

                    19154bfea81767d89da77e86675d4771

                    SHA1

                    0c886a061c18255eaafe984b4637ecdb1a3a19bc

                    SHA256

                    f05401d638d8ff6f59a608d56173e2dd01e4560f4a91a21b55838c4df3688d56

                    SHA512

                    a7e315cb7bea2b3edb119ebfd6055d127a420a0af6e1909564522967c099d0c98eef2c728475a2001578596b4ead7c35ecf254b99e061d193416e61aa7a36301

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\A1D26E2\91A5AD8890.tmp
                    Filesize

                    5.7MB

                    MD5

                    3c4dc7f100923a7dac7c28539f317bfe

                    SHA1

                    80f4d0b8bdad96eae2ede154812932cb76adb035

                    SHA256

                    1739607d73ba6a78b43743de6c05085dc544e279741332509b4bca3f8adf1c65

                    SHA512

                    9913a267a64f13b1ce354686afb4ac833950f024f8981f2de01e70b974893c69e7f2fa88e249d6e685054523fbc51e953454091e2b9ea049b98e1c547728acc8

                    Download Submit

                  • memory/2192-13-0x0000000000F00000-0x00000000014CA000-memory.dmp

                    Filesize

                    5.8MB

                    Download

                  • memory/2192-3-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-210-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-36-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-15-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-235-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-234-0x0000000000F00000-0x00000000014CA000-memory.dmp

                    Filesize

                    5.8MB

                    Download

                  • memory/2192-241-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-35-0x0000000000F00000-0x00000000014CA000-memory.dmp

                    Filesize

                    5.8MB

                    Download

                  • memory/2192-252-0x0000000010000000-0x0000000010030000-memory.dmp

                    Filesize

                    192KB

                    Download

                  • memory/2192-289-0x0000000000F00000-0x00000000014CA000-memory.dmp

                    Filesize

                    5.8MB

                    Download

                  • memory/2332-222-0x0000000000020000-0x0000000000027000-memory.dmp

                    Filesize

                    28KB

                    Download