floxif | 135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
Size

3.1MB
MD5

14e08e7528946d1eef87be3b153318a0
SHA1

0b500a6f5179043ab3cfa0565c77e8dc7a3e5dc2
SHA256

135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707
SHA512

e0236743acdd57d629404ec7c7a912e8ef84f349efdb934058d11ab512a612b4f44bdb4755ead15e38ceb95d90749f2a7c29ac4e27afed358589692535a9504a
SSDEEP

98304:U4x8xFAoOSoFRWx81Of/Ru6DJYyZ9IgpY3rmJXNOmx81s:1gNGRXMRu6DJfDaUXNXxos

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b00000001225f-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001225f-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2076	Setup.exe

Loads dropped DLL 8 IoCs

pid	Process
388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
2076	Setup.exe
2076	Setup.exe
2076	Setup.exe
388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
2076	Setup.exe
2076	Setup.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225f-1.dat	upx
behavioral1/memory/388-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2076-109-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2076-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/388-186-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
2076	Setup.exe
2076	Setup.exe
2076	Setup.exe
2076	Setup.exe
2076	Setup.exe
2076	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
Token: SeDebugPrivilege	2076	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31
PID 388 wrote to memory of 2076	388	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	31

C:\Users\Admin\AppData\Local\Temp\135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
"C:\Users\Admin\AppData\Local\Temp\135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\fcd3b8c2e19f0e01460bc169ab\Setup.exe
  C:\fcd3b8c2e19f0e01460bc169ab\\Setup.exe /x86 /x64 /lcid 1046
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1D26E2\D5496FC184.tmp

Filesize
3.1MB

MD5
e29593feba59bebcdac5406ce18f8803

SHA1
ef58ea187cc3cc908218e0f4f75021150063eebb

SHA256
9ad44cb39d36b8ced0e01abe13b18f8cd414521a57cb7ca48e1c2b01d71da894

SHA512
262ca22f8432f4af8331c3de3b4043acbc83d41ae099948c54818424b5a94533ffff4b9a0a1fae758cb02ad68d9f4f6073597629dad673a200bc0bf90955335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFID7AA.tmp.html

Filesize
16KB

MD5
b5819a5049b324d67fa3e099f03544f7

SHA1
64faca826e3df64c9ae9a65f226f8bbaeffe96a7

SHA256
f68190ec0c6879a40173625b3e691374da3d20458762a710e6b687d11aff3b53

SHA512
72f8375c9d1dc72fd98669c633d2731b5850f03bae2d0b2f1f10409035c65d19090a5729f58943b208217856b54bd492558ab3cf6a3a9d3ef8998a6fa3aabe15

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\1033\LocalizedData.xml

Filesize
75KB

MD5
326518603d85acd79a6258886fc85456

SHA1
f1cef14bc4671a132225d22a1385936ad9505348

SHA256
665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577

SHA512
f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\1046\EULA.rtf

Filesize
3KB

MD5
e43708161843a33d34d6fdf966d36397

SHA1
2e5c0450cebd9a737a90908eeddaae2d0b3e2940

SHA256
0af1f04f416712387bf87c93fa846b4e8eb0ac25e284a2a3578c58e2724e2778

SHA512
fb334d29bbbc2d19d20c5260c55bf83d9d6d242c6a8f04ac88f8280a63e6af32fb5d96703e43d39f6863d17b27d9e0e36cbab1099127e5fa281255a19ae39e0d

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\1046\LocalizedData.xml

Filesize
78KB

MD5
a03d2063d388fc7a1b4c36d85efa5a1a

SHA1
88bd5e2ff285ee421ccc523f7582e05a8c3323f8

SHA256
61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3

SHA512
3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\1046\SetupResources.dll

Filesize
17KB

MD5
14aa930f54cf183de34950ba6eeb39f5

SHA1
7cb564622842a096a8f8c311ac2f96cef927a3ff

SHA256
995b7675b00b207f91a045eab7023cf9934ed058c25b34c5f721bd1500856069

SHA512
6f2fb8919086ca4ca58c54c1ad2f10859f2eb947a4f39527e5d8ad3db119563f2b040f05fd4e7b019b638da01f9ecffee3b9642c4452016000a667386b2b37da

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\ParameterInfo.xml

Filesize
146KB

MD5
5c343cce2b9d8fc5f7f17ea79e49b1c6

SHA1
d166650cdf38a126f5d1e1a2bab8e9f150edc6e2

SHA256
0a28a29755db22bc559924a7c95dfd294beabceb31666017c5cbdbf5221e0560

SHA512
e538b6233c582f45f8b6cabb9231e21eb9b9a841924b33b5f9b718c4a133bf0df3b2e55afc74f7f9b20f671c04108a70391a13b415abdcbf0c8fd4b3ee2d5990

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\SplashScreen.bmp

Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\UiInfo.xml

Filesize
38KB

MD5
002b52d8a030fb5bc2e35c9d209ecd41

SHA1
c4da0554a913a7a580c724d76ba2b1e13a598970

SHA256
44e7de36e58052f79d6168e867c9edee5bd6632d6f7450b55e94b1c666c4789e

SHA512
48a73976f797d3f83c722599e42135b550fe1f9479eede180403b2fda1c87da08e9176871f8ff017032a42046ac018eeb60c8e0b2c9fbc9e9f7a2d2f62cfb7da

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\header.bmp

Filesize
3KB

MD5
514bfcd8da66722a9639eb41ed3988b7

SHA1
cf11618e3a3c790cd5239ee749a5ae513b4205cd

SHA256
6b8201ed10ce18ffade072b77c6d1fcaccf1d29acb47d86f553d9beebd991290

SHA512
89f01c3361ba874015325007ea24e83ae6e73700996d0912695a4e7cb3f8a611494ba9d63f004dcd4f358821e756be114bcf0137ed9b130776a6e26a95382c7b

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\fcd3b8c2e19f0e01460bc169ab\watermark.bmp

Filesize
101KB

MD5
b0075cee80173d764c0237e840ba5879

SHA1
b4cf45cd5bb036f4f210dfcba6ac16665a7c56a8

SHA256
ab18374b3aab10e5979e080d0410579f9771db888ba1b80a5d81ba8896e2d33a

SHA512
71a748c82cc8b0b42ef5a823bac4819d290da2eddbb042646682bccc7eb7ab320afdcfdfe08b1d9eebe149792b1259982e619f8e33845e33eec808c546e5c829

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\fcd3b8c2e19f0e01460bc169ab\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\fcd3b8c2e19f0e01460bc169ab\SetupEngine.dll.tmp

Filesize
864KB

MD5
d6b598b979cc419bcf756db00737917b

SHA1
0e1c5843c97cbb8849231b9ab603aced5c875007

SHA256
77707eee72e275913b8705108a9deeb6aa74d991aeba5f53f530cb81478d1838

SHA512
8ad4823e47757ce480c6b4a757f60e2275a2ac3e10a8bc4d7293a88c3aaf921fc42ef72ccef6fd169aca56d6b92cce298da39e765e370a80f46bc9182f82cfa6

Download Submit
memory/388-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/388-186-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/388-184-0x0000000000FC0000-0x0000000000FF4000-memory.dmp

Filesize
208KB

Download
memory/2076-109-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2076-153-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2076-151-0x00000000742D0000-0x0000000074398000-memory.dmp

Filesize
800KB

Download