floxif | 5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727

General

Target

5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
Size

3.0MB
MD5

b7d0c72005a7b447059dfd00108c0132
SHA1

56584a42822bb19bda4c79d8729996bff111f539
SHA256

5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727
SHA512

3a4c2d7be5c4352c44b24d7c52a22a2ca9be503c913e7e462e76473f5d2a04f805b8d24600e6e7c9e5c20a3770839def14f1375ad5b87ac05695a9d501dcfa4b
SSDEEP

49152:tA4aPLjKowKuTTjEItjnIm/1jQVwvOjTY1tjlz3ZUSY8458BjISDdAQXiGHW:qXPLj9iEMjnIGj2w+cjlz3m/0jIaXdW

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00080000000120f9-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120f9-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2796	update.exe

Loads dropped DLL 7 IoCs

pid	Process
1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
2796	update.exe
2796	update.exe
2796	update.exe
2796	update.exe
1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-2.dat	upx
behavioral1/memory/1952-8-0x00000000009D0000-0x00000000009F2000-memory.dmp	upx
behavioral1/memory/1952-89-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1952-91-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1952-147-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB942288-v4.log	update.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe
Token: SeRestorePrivilege	2796	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30
PID 1952 wrote to memory of 2796	1952	5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe	30

C:\Users\Admin\AppData\Local\Temp\5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe
"C:\Users\Admin\AppData\Local\Temp\5a79981c4c34b77b391f444a8ac4fa87c270ce8677c385872adb51ba87876727.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- \??\c:\ddc5f0d8e880762731a771b35f49\UPDATE\update.exe
  c:\ddc5f0d8e880762731a771b35f49\\UPDATE\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\ddc5f0d8e880762731a771b35f49\UPDATE\UPDSPAPI.dll

Filesize
370KB

MD5
9a055da2f2819f155c33d47cd67a7c00

SHA1
1ca0a282dbd483972b40bf4ccff4f747227f422c

SHA256
0acbbaa648ffbcc6375736dd35ee7a20bfcf5976dfc558ca72d820e7f7cdad85

SHA512
cf137d691c6a6c3e6611f2af4ccd462f291ab49f430a9fe4ff2746a4f3856255ec5d1551ff408b437b573000322131c9bd78fae74cace812ae81441df52a7a49

Download Submit
\??\c:\ddc5f0d8e880762731a771b35f49\update\branches.inf

Filesize
957B

MD5
5a4be9491d2a436af79e1efaa1a72692

SHA1
1dd8f7c8dafb2f14a1a56d843571cef57e2689c7

SHA256
5218b322e0d95478dcbf4993a418c232fde3304d25cca64a9874bafdb0ffd4fc

SHA512
2413c0df80cf47c4a783586cdcd3cce520d675a19ba35add85fd402ff1c6bc0dd69bd62e592d971beaaae61680910bc589c752d12d93194c3427cc5cb8c95f3c

Download Submit
\??\c:\ddc5f0d8e880762731a771b35f49\update\update_SP2QFE.inf

Filesize
49KB

MD5
55d0da032e6135d673c2153e36a4bee2

SHA1
834f6a2366941181e3ebc770d42f44ca3f0b9851

SHA256
f6be29e817861b5043b5c0a2bdd6e14216d3478f08dccaae841a88a42fad701f

SHA512
4785c18a7e1e5544cf20dbf33a3b908448d538a5fbee112048bf585c5e58d010d4461d6dac011a440d886c46927c65e0b86385ffc25a9a5930bad5a371591a06

Download Submit
\??\c:\ddc5f0d8e880762731a771b35f49\update\updatebr.inf

Filesize
411B

MD5
6acc9ff4091fd18ac3c69295a2d5d294

SHA1
2d49a882a0260ffcf326df732fb3ff30c06a0a2f

SHA256
032864ad093d4b88fca35dd4e25bf40a2cd3ede8166275f55e65c93058f17061

SHA512
6ea5274df62cb188cbbdac53255fc690483e445e2b86a36d02a94284bd449695cfb8c4c2a11843f2a0c1a93cc6eeffe32bdeda4d3f49fff3082ca65b732af829

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\ddc5f0d8e880762731a771b35f49\UPDATE\UPDSPAPI.dll.tmp

Filesize
446KB

MD5
3d1494034a20afac260e66508ed0a308

SHA1
ed83cd71adfc07012ae043b6ca97bcaa8dac1fa9

SHA256
40dcebce3670b4d51247c1de7767d11b691e934841e75ad3f281d35c91a3a67f

SHA512
e2db0db8fb1fe517788179917c62d78f505c0d48bac0829a48becf116f3361e8b1d85adebcd6155c4477e43b0f806ee4fe08a4bde0eb5bfda575f9f959beab89

Download Submit
\ddc5f0d8e880762731a771b35f49\UPDATE\update.exe

Filesize
725KB

MD5
50914702cb6c72275018643c557ef8c5

SHA1
a60b307966ae1329ff1c16f187117768179bb719

SHA256
a0b2b5e50eff3968c6c05cf18fc93ba3fd2a5de6c35bda609b14e9247e99d2e3

SHA512
4005b7da7eab74d9be1c7847f0485354bfff974c0cf88a2bcc0a30168665218671721e784b55b6038bbb2399927850d607e5aaa178b290be91e636d988e76bfc

Download Submit
memory/1952-0-0x00000000009D6000-0x00000000009D7000-memory.dmp

Filesize
4KB

Download
memory/1952-8-0x00000000009D0000-0x00000000009F2000-memory.dmp

Filesize
136KB

Download
memory/1952-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1952-88-0x00000000009D6000-0x00000000009D7000-memory.dmp

Filesize
4KB

Download
memory/1952-89-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1952-91-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1952-92-0x00000000009D0000-0x00000000009F2000-memory.dmp

Filesize
136KB

Download
memory/1952-147-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1952-148-0x00000000009D0000-0x00000000009F2000-memory.dmp

Filesize
136KB

Download
memory/2796-72-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download
memory/2796-93-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download
memory/2796-94-0x0000000000170000-0x00000000001CE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing