Overview

overview

10

Static

static

3

2024-12-28...id.exe

windows7-x64

10

2024-12-28...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

  • Size

    13.9MB

  • MD5

    2311af7a51179653ab13a1de7b1cd9d5

  • SHA1

    e97369fc9862180dcc5753e987910cb93fbe2021

  • SHA256

    acb3d014eab258d3e2dbcc82461fda0a3a37bc82b4cf743e9744c8cffc995e48

  • SHA512

    3fb2e29c0f21b2e2a246d77c521f971ca70cb38ca95b913629e233123821168d711204c418a5170ceeda33c55f3358936dd63da8026315b79d41f294f05a74bf

  • SSDEEP

    393216:x2hgHwxYYqFvrOylDN3FlgAxopoz007WL:x1HitfKbiAxoa407WL

Score
10/10
floxifbackdoordiscoverypersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • Drops file in Drivers directory 6 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Program Files\BMW_KEY\InstDrv.exe
      "C:\Program Files\BMW_KEY\InstDrv.exe" BMW_INS
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 setupapi.dll,InstallHinfSection FtdiBus 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF
        3⤵
        • Drops file in Drivers directory
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\SysWOW64\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3380
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 setupapi.dll,InstallHinfSection FtdiPort 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\SysWOW64\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 setupapi.dll,InstallHinfSection FtdiPort232 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF
        3⤵
        • Drops file in Drivers directory
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Windows\SysWOW64\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\FTLang.dll
    Filesize

    100KB

    MD5

    cdf91fb3cf82d2a5682c42714d8cb9c2

    SHA1

    749ce7db573f421bc520786e17ca0efa26822d81

    SHA256

    3392bf2a67f3774b58332fd1e45a3bddf87ca25edc3c40ef0c266f15e962114f

    SHA512

    f826acad305155b489b5403f04f6348bdec1c88c9798c871681cc1e7a5f3451a8cb4275d1b6055108d71c9947861d55fb08789016f39aed99728ad3f2c268f25

    Download Submit

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftbusui.dll
    Filesize

    104KB

    MD5

    e3974afac60ee2c3ec118d560c7fe98c

    SHA1

    b6c353060d15d4aa136605cfa1721d1c21efc64d

    SHA256

    c8e47ba55381bd3df5484a65c4682adf84f694e72b972a0f1c312bac2c0b5dad

    SHA512

    d9bc13c509a7f753fac04368be146d6bc4f234dfa9a8ccb0f02c96c0f5299041095cc783fda0d9672eca10e7516874af4bd757d09bb72639616f3f3c2c7e3c8a

    Download Submit

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftd2xx.dll
    Filesize

    172KB

    MD5

    aa8046aa6726e0a2b0cda65fb5d2cd8d

    SHA1

    9decf4ee4cfabe32e05af7b0e8ea2ea872e01a18

    SHA256

    391644ee8db7dd5fe5ceaf612ea963280a54e4f4e03af8faf2008c35039a3c06

    SHA512

    18e6c3f7a6dfd9f8271266df362fde7e1ee7db7ccca14913f4b785130a712b22f7bfa4fc757736c840aadcb94c05453964654ec7ce82d5013a1dfcdfb837cf50

    Download Submit

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftdibus.sys
    Filesize

    46KB

    MD5

    b283f1bc1ff852bd232449a4b3e3ce63

    SHA1

    1735a5f442a52ae782217da90596c6f62c16af45

    SHA256

    e9e97433b39c0c20d9602b13dc0b5db06212cdbd2ccf733b1f0ffa94bd7567aa

    SHA512

    0898ee85a25900b508895444b43b0c10ad17dcb24e97af56aaf1a69797932c4b554006a8f5226914c9abf93c433d486d1cba1016f7f354703c373349c75ba0a2

    Download Submit

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftdiun2k.ini
    Filesize

    133B

    MD5

    575fd6d0b71eb70778ea4ff9ae31f275

    SHA1

    d100eb720461686cee42600d339c94079dfb15a1

    SHA256

    457c90c856d737267cf28a7215e72e15929ac96b079562d600c5b36e861b3224

    SHA512

    2abc121b0555a7e0642666f5fa7920aac18f257c098c9ee036fd4ce5830e6604e67fdece1f68532d520ed0d6f4d4c9a396ff363f59ba8329b1f3c2ae8cc0a102

    Download Submit

  • C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftdiunin.exe
    Filesize

    184KB

    MD5

    9a411917e84142c706358a74e753ab38

    SHA1

    5ee4d0293fc2b5e916a5cd3ebe5ffd25dfc28c09

    SHA256

    3b0129a0fcd4f5ca649444358afdf852c878a2f539be897bf0519d07e8561413

    SHA512

    e7c48120e09bf389968268d5986922439a95d8ea604ba26fb8d2fbbcbf5cb559b14ce1b267b3685b8aca494eab54d740c66a2a4b9d81035a2ef198ca1c17635f

    Download Submit

  • C:\Program Files\BMW_KEY\DMBMW.exe
    Filesize

    1.9MB

    MD5

    731bc6cdbc7bf9dc87a85dd87ac8caa9

    SHA1

    824cbf34b70f60d61947aebb558a8a12b49d342c

    SHA256

    c0b575b8c46beaa3db633e77c6652712deef46bcbf4a2d55879185377f6d72bf

    SHA512

    23304a16b9bc73ced771d451e30157c951279bec5a9012ed028834742fe82f30bb63494bfd1ad13252800e2f409c3b3cfe3a02a12e9f720fbe249fa774415095

    Download Submit

  • C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF
    Filesize

    2KB

    MD5

    850d4cc5fabf66b5832ea4877b064c16

    SHA1

    fbecea98c87e2c90122e50c26b4f7e0bea699616

    SHA256

    57ec958458b8c6d99559a72473c7f2bcfb2b0ea4306598a50a72a4955668ae19

    SHA512

    3c5564dd868f9e5ca1324379066cf3eb705bb8a7af07b9161d119ee0ecb7a3b169d60f12aaa856649ced91fb56bc359d4a676f49549c99b35c5447bcc3ad972b

    Download Submit

  • C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF
    Filesize

    3KB

    MD5

    469fde18639bac64ef50854687a0866e

    SHA1

    20d412c1d418ec6b8f1bc7bca74c98475fde6702

    SHA256

    c8b7acc471066bc7acf13768fcd35f3281851a476bace4e647d3928d00b5bb8f

    SHA512

    49da391e44778332d3e60b244c53d5593e10b981464a3b346948e816423209a0db698a1bd0a47feeabb2d12a3d2561c8500f7b1bd0abe29162c7fedf858fcd80

    Download Submit

  • C:\Program Files\BMW_KEY\InstDrv.exe
    Filesize

    621KB

    MD5

    b61ef16354ba4970ac1190ad65ad642a

    SHA1

    cb753b1ea0d103572d3bfec51a80940db4a6a6b0

    SHA256

    080412360fc5bb363888fd7a5369c639447ada15c6117917f28c9c505daf2310

    SHA512

    3abaddb6d4312a838c18dd94541fdbcf38d6e8e2021e7a9286e3f83a0387899aa7b55c4de0df4e158a07b86a6694dfe1375b1d65525d1b86fe2c2024610ddb60

    Download Submit

  • C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP_Installation_Guide temp.files\image003.jpg
    Filesize

    40KB

    MD5

    39cf0cc9ab7eb34cbeb4df27730cd394

    SHA1

    c110f6739bfddf9aa8f52f554196111c6528ca87

    SHA256

    9ebcff6ad7c9c4011afc3ea37e3bb1e9c6a4d8ffa9d8e4f5137a50dc0a06767d

    SHA512

    3b7341baec5157aaba7664f159cc7322e404f64f43f7c5003328b23fbf995d209837d62335fa8125dac130481938bb4cb9dd5cae79cb98024253d4cb8a3e19ce

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll.000
    Filesize

    175B

    MD5

    1130c911bf5db4b8f7cf9b6f4b457623

    SHA1

    48e734c4bc1a8b5399bff4954e54b268bde9d54c

    SHA256

    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

    SHA512

    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl
    Filesize

    8KB

    MD5

    6a78e7cc5f564cdc7b6e15b393061367

    SHA1

    a6d419470599f24dd04e3427f3e4870d466e2ce6

    SHA256

    bf7ab27f4c352a1a5913e1ab85e437c564f5123881c2736a3d224d4902cf85eb

    SHA512

    52ab589039b9302c661eb835ad2bb85a5f8b8d665bfd83513cb8e441b8bcfbb684e5cd085b9ec35801c410be3948a52ae14c90563058d2b1b430e28c9f94c08c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl
    Filesize

    8KB

    MD5

    1f6f5a5ca3f5c02e921c416336ae1f95

    SHA1

    d4ce2551063167363a360f357de0db5391ec978f

    SHA256

    1560975fd16e80bd896240affa0c097a96b2c8ca0316dbf58926ec5165fb2990

    SHA512

    7aec7f0356f63f37cfdeb53ff8f3b450dcbd6d2e67984186d7a1c651df4395d18665f6c641fbfb13f650ada933faa7d6d98ff29ee8315d4a4ca38ce0bc646f1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\20241228182644681~YingInstall-TopFramePicture.bmp
    Filesize

    99KB

    MD5

    bc6929cf43081a4de421ab6af50aa4b1

    SHA1

    95c05ab09fec65f8bd2ab99fd0267b231a04060f

    SHA256

    7523a64eb26ad746666a12d988069aeec9d89c03a2c026c0878a7f73d204b03c

    SHA512

    d013e5c0e3fbb5a478bea05e85fedfa038df6c8dd2e4b0b777870a5ec7a0a79b841096384f1e0be76f5a6dc85f7819647681b37253f9a3596522db54d78b79b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A1D26E2\9308CD4D50.tmp
    Filesize

    13.8MB

    MD5

    1209885b28a318d00d613b047e1c5b9b

    SHA1

    0165018d686f6e11ce7efd0f71c8d2e4ad1feb0e

    SHA256

    5cb9a0358e079d691c617bf8611c0e0370cd6498ff7d0eac5b0a709f57a46301

    SHA512

    1932ffa6621d43b58c4870ef2cc1bbcf0c6998bcd2c3e3b925ed84d688b5d3a388894881c2f06cca6687d910bfa653e2a999994096dad071a0edf9ee1f69abf8

    Download Submit

  • C:\Windows\SysWOW64\drivers\ftser2k.sys
    Filesize

    59KB

    MD5

    678a73f56ddf84a08c31123c386e9967

    SHA1

    cadfb220a6e5168af8361e3ca25d9f082f0df0c4

    SHA256

    cefce93abf0928fbc361cc953b49d33bcc0376c4477d0ac1840e6b94c6de2e4f

    SHA512

    f7fd19f249fa53965ef517235a54b279050b8033c2dd917444c76cd5737c9a06b9e4fba14957b2383d1c17f0d221badee0d4632f49d56b602c810a229d127978

    Download Submit

  • C:\Windows\SysWOW64\ftserui2.dll
    Filesize

    32KB

    MD5

    1452ce75a9ac31d29d552f3bcd62e64e

    SHA1

    9c55824bd4f8bd46d05388b017113201de6f5a1d

    SHA256

    e49ba33c49c921322c807d0ef21815cff0af3fc32c269c9f4cf32d57705b9c62

    SHA512

    36d64f5250d167722cbf69f6259d87d04067ff3a779f7a4d8686a8566d7373e824a51933378d3dfca65cb341e6a096d9758c64cc17ceaafed4c7a6a870c19161

    Download Submit

  • memory/2012-364-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2012-362-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2404-397-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2404-388-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2404-320-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2404-319-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2404-408-0x0000000000400000-0x00000000004A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2404-410-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3004-352-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3004-346-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3380-348-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3380-349-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3408-35-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-64-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-63-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3408-23-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-28-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-311-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-310-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-406-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3408-29-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3408-16-0x0000000000427000-0x000000000042A000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3408-127-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-407-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-322-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3408-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3408-398-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3564-323-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3564-354-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3640-391-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3640-389-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4008-369-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4008-356-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4388-394-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4388-386-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4604-367-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4604-360-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4888-396-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4888-371-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download