floxif | 135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707

Analysis

max time kernel
116s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
Size

3.1MB
MD5

14e08e7528946d1eef87be3b153318a0
SHA1

0b500a6f5179043ab3cfa0565c77e8dc7a3e5dc2
SHA256

135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707
SHA512

e0236743acdd57d629404ec7c7a912e8ef84f349efdb934058d11ab512a612b4f44bdb4755ead15e38ceb95d90749f2a7c29ac4e27afed358589692535a9504a
SSDEEP

98304:U4x8xFAoOSoFRWx81Of/Ru6DJYyZ9IgpY3rmJXNOmx81s:1gNGRXMRu6DJfDaUXNXxos

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000b000000023b8b-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000023b8b-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
792	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/428-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-1.dat	upx
behavioral2/memory/428-141-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/428-147-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/428-157-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/428-175-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
792	Setup.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 792	428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	84
PID 428 wrote to memory of 792	428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	84
PID 428 wrote to memory of 792	428	135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe	84

C:\Users\Admin\AppData\Local\Temp\135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe
"C:\Users\Admin\AppData\Local\Temp\135af72efc07daa67d971406794035eaed2ecf5176f79c1bfb778c01a3b7e707N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\c5c930712e7e9f683fd0a94f6590\Setup.exe
  C:\c5c930712e7e9f683fd0a94f6590\\Setup.exe /x86 /x64 /lcid 1046
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIB305.tmp.html

Filesize
16KB

MD5
484ca6a8e85526d045641bb2f6d90575

SHA1
7856896c0c54633b80054bc86880f8ff0def93ac

SHA256
9ebf65b0ad654d3c2b6ef45292d4a13a55d8f05a7ea6ea48ee34573cf615af89

SHA512
6a9708c24398e70e6e0b26d49505b42fc6b4bdf03da374b0014056be6551607c91fff8a0f5ad5b9a49826369927191eae56d272ceb56fba4dfddb46dcdcd9e31

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\1033\LocalizedData.xml

Filesize
75KB

MD5
326518603d85acd79a6258886fc85456

SHA1
f1cef14bc4671a132225d22a1385936ad9505348

SHA256
665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577

SHA512
f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\1046\LocalizedData.xml

Filesize
78KB

MD5
a03d2063d388fc7a1b4c36d85efa5a1a

SHA1
88bd5e2ff285ee421ccc523f7582e05a8c3323f8

SHA256
61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3

SHA512
3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\1046\SetupResources.dll

Filesize
17KB

MD5
14aa930f54cf183de34950ba6eeb39f5

SHA1
7cb564622842a096a8f8c311ac2f96cef927a3ff

SHA256
995b7675b00b207f91a045eab7023cf9934ed058c25b34c5f721bd1500856069

SHA512
6f2fb8919086ca4ca58c54c1ad2f10859f2eb947a4f39527e5d8ad3db119563f2b040f05fd4e7b019b638da01f9ecffee3b9642c4452016000a667386b2b37da

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\ParameterInfo.xml

Filesize
146KB

MD5
5c343cce2b9d8fc5f7f17ea79e49b1c6

SHA1
d166650cdf38a126f5d1e1a2bab8e9f150edc6e2

SHA256
0a28a29755db22bc559924a7c95dfd294beabceb31666017c5cbdbf5221e0560

SHA512
e538b6233c582f45f8b6cabb9231e21eb9b9a841924b33b5f9b718c4a133bf0df3b2e55afc74f7f9b20f671c04108a70391a13b415abdcbf0c8fd4b3ee2d5990

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\SetupEngine.dll.tmp

Filesize
864KB

MD5
03cb8e9f021ef478aaf6922d4849b344

SHA1
1d442fc8020dffaf289e04b1efbd65f77d11bd63

SHA256
7a859cf8e4600c1430d45a7f5866156c0918ef6f55401be340b5aafb10d52097

SHA512
2aef2f43f1755481deb2ecb768fefd3c0c6d519d6d05739fc9ec21b284778988c991931974cb15206452ad4c667c5819a7001050c4fbabcb74f2497f71ecba18

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\SplashScreen.bmp

Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\UiInfo.xml

Filesize
38KB

MD5
002b52d8a030fb5bc2e35c9d209ecd41

SHA1
c4da0554a913a7a580c724d76ba2b1e13a598970

SHA256
44e7de36e58052f79d6168e867c9edee5bd6632d6f7450b55e94b1c666c4789e

SHA512
48a73976f797d3f83c722599e42135b550fe1f9479eede180403b2fda1c87da08e9176871f8ff017032a42046ac018eeb60c8e0b2c9fbc9e9f7a2d2f62cfb7da

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\graphics\warn.ico

Filesize
9KB

MD5
b2b1d79591fca103959806a4bf27d036

SHA1
481fd13a0b58299c41b3e705cb085c533038caf5

SHA256
fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11

SHA512
5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

Download Submit
C:\c5c930712e7e9f683fd0a94f6590\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
memory/428-139-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/428-141-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/428-147-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/428-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/428-157-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/428-175-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/792-158-0x0000000073DC0000-0x0000000073E88000-memory.dmp

Filesize
800KB

Download