floxif | acb3d014eab258d3e2dbcc82461fda0a3a37bc82b4cf743e9744c8cffc995e48

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
Size

13.9MB
MD5

2311af7a51179653ab13a1de7b1cd9d5
SHA1

e97369fc9862180dcc5753e987910cb93fbe2021
SHA256

acb3d014eab258d3e2dbcc82461fda0a3a37bc82b4cf743e9744c8cffc995e48
SHA512

3fb2e29c0f21b2e2a246d77c521f971ca70cb38ca95b913629e233123821168d711204c418a5170ceeda33c55f3358936dd63da8026315b79d41f294f05a74bf
SSDEEP

393216:x2hgHwxYYqFvrOylDN3FlgAxopoz007WL:x1HitfKbiAxoa407WL

Score

10^/10

floxif backdoor discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000a000000021649-1.dat	floxif

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\SETE4A3.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\SETE4A3.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ftser2k.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\SETDCF2.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\SETDCF2.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ftdibus.sys	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000021649-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4608	InstDrv.exe

Loads dropped DLL 3 IoCs

pid	Process
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YingInstall\409.ini	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Windows\SysWOW64\ftdiun2k.ini	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ftbusui.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ftd2xx.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SETE4A4.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\bdeadmin.cpl	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Windows\SysWOW64\SETDD03.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ftdiunin.exe	rundll32.exe
File created	C:\Windows\SysWOW64\SETDD24.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SETDD35.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SETE4A4.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ftserui2.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SETE4A5.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bdeadmin.cpl	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Windows\SysWOW64\SETDD03.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SETDD24.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SETE4A5.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\FTLang.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SETDD14.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SETDD14.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SETDD35.tmp	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000021649-1.dat	upx
behavioral2/memory/1936-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1936-30-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1936-31-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1936-124-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1936-371-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\idodbc32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTD2XX.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image002.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\SQL_INF9.CNF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\sqlinf32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\sqlsyb32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\iddbas32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\SQL_SSC.CNF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\image\image005.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\idapinst.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image004.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\BDEADMIN.HLP	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\image\image011.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP_Installation_Guide temp.files\image004.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP_Installation_Guide temp.files\image001.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image003.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Keys_Program.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\idapi32.cfg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\image\image008.png	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\WIN-98.htm	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\image\image002.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\SQLLNK32.TOC	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\1_eng.html	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image005.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\NOENCODE.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\InstDrv.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\EditHexBuffer_en.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\idpdx32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\ftdiport.cat	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\ftser2k.sys	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image003.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image004.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\IDAPI.CNF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\Drivers\USBDriver\ftdiport.cat	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\filelist.xml	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\image\image007.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image001.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image005.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\idapi32.cfg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\qcetdata\BMW_KEY.DB	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\ENCODE.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\SQL_DBV5.CNF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\image\image004.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP.htm	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\SQLLNK32.TOC	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIUNIN.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTBUSUI.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\eng_drv_ins\Installation the device of WIN-98.files\image001.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\BDEADMIN.HLP	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\iddao32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\sqlint32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\SQL_ORA8.CNF	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIUNIN.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\EditHexBuffer.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\image\image003.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP_Installation_Guide temp.files\image006.jpg	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\bdeadmin.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\Common Files\Borland Shared\BDE\SQLLNK32.HLP	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\sqlsyb32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Program Files\BMW_KEY\EditHexBuffer.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\BMW_KEY\myapp_en.ini	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Program Files\Common Files\Borland Shared\BDE\sqlssc32.dll	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Ying-UnInstall.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Windows\BDEREG	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File opened for modification	C:\Windows\BDEREG	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
File created	C:\Windows\Ying-UnInstall.exe	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstDrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4608	1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe	97
PID 1936 wrote to memory of 4608	1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe	97
PID 1936 wrote to memory of 4608	1936	2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe	97
PID 4608 wrote to memory of 4616	4608	InstDrv.exe	98
PID 4608 wrote to memory of 4616	4608	InstDrv.exe	98
PID 4608 wrote to memory of 4616	4608	InstDrv.exe	98
PID 4616 wrote to memory of 2020	4616	rundll32.exe	99
PID 4616 wrote to memory of 2020	4616	rundll32.exe	99
PID 4616 wrote to memory of 2020	4616	rundll32.exe	99
PID 2020 wrote to memory of 3488	2020	runonce.exe	100
PID 2020 wrote to memory of 3488	2020	runonce.exe	100
PID 2020 wrote to memory of 3488	2020	runonce.exe	100
PID 4608 wrote to memory of 940	4608	InstDrv.exe	101
PID 4608 wrote to memory of 940	4608	InstDrv.exe	101
PID 4608 wrote to memory of 940	4608	InstDrv.exe	101
PID 940 wrote to memory of 2480	940	rundll32.exe	102
PID 940 wrote to memory of 2480	940	rundll32.exe	102
PID 940 wrote to memory of 2480	940	rundll32.exe	102
PID 2480 wrote to memory of 404	2480	runonce.exe	103
PID 2480 wrote to memory of 404	2480	runonce.exe	103
PID 2480 wrote to memory of 404	2480	runonce.exe	103
PID 4608 wrote to memory of 820	4608	InstDrv.exe	104
PID 4608 wrote to memory of 820	4608	InstDrv.exe	104
PID 4608 wrote to memory of 820	4608	InstDrv.exe	104
PID 820 wrote to memory of 3928	820	rundll32.exe	105
PID 820 wrote to memory of 3928	820	rundll32.exe	105
PID 820 wrote to memory of 3928	820	rundll32.exe	105
PID 3928 wrote to memory of 4812	3928	runonce.exe	106
PID 3928 wrote to memory of 4812	3928	runonce.exe	106
PID 3928 wrote to memory of 4812	3928	runonce.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_2311af7a51179653ab13a1de7b1cd9d5_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files\BMW_KEY\InstDrv.exe
  "C:\Program Files\BMW_KEY\InstDrv.exe" BMW_INS
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 setupapi.dll,InstallHinfSection FtdiBus 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 setupapi.dll,InstallHinfSection FtdiPort 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 setupapi.dll,InstallHinfSection FtdiPort232 128 C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftbusui.dll

Filesize
104KB

MD5
e3974afac60ee2c3ec118d560c7fe98c

SHA1
b6c353060d15d4aa136605cfa1721d1c21efc64d

SHA256
c8e47ba55381bd3df5484a65c4682adf84f694e72b972a0f1c312bac2c0b5dad

SHA512
d9bc13c509a7f753fac04368be146d6bc4f234dfa9a8ccb0f02c96c0f5299041095cc783fda0d9672eca10e7516874af4bd757d09bb72639616f3f3c2c7e3c8a

Download Submit
C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftd2xx.dll

Filesize
172KB

MD5
aa8046aa6726e0a2b0cda65fb5d2cd8d

SHA1
9decf4ee4cfabe32e05af7b0e8ea2ea872e01a18

SHA256
391644ee8db7dd5fe5ceaf612ea963280a54e4f4e03af8faf2008c35039a3c06

SHA512
18e6c3f7a6dfd9f8271266df362fde7e1ee7db7ccca14913f4b785130a712b22f7bfa4fc757736c840aadcb94c05453964654ec7ce82d5013a1dfcdfb837cf50

Download Submit
C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftdiun2k.ini

Filesize
133B

MD5
575fd6d0b71eb70778ea4ff9ae31f275

SHA1
d100eb720461686cee42600d339c94079dfb15a1

SHA256
457c90c856d737267cf28a7215e72e15929ac96b079562d600c5b36e861b3224

SHA512
2abc121b0555a7e0642666f5fa7920aac18f257c098c9ee036fd4ce5830e6604e67fdece1f68532d520ed0d6f4d4c9a396ff363f59ba8329b1f3c2ae8cc0a102

Download Submit
C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftdiunin.exe

Filesize
184KB

MD5
9a411917e84142c706358a74e753ab38

SHA1
5ee4d0293fc2b5e916a5cd3ebe5ffd25dfc28c09

SHA256
3b0129a0fcd4f5ca649444358afdf852c878a2f539be897bf0519d07e8561413

SHA512
e7c48120e09bf389968268d5986922439a95d8ea604ba26fb8d2fbbcbf5cb559b14ce1b267b3685b8aca494eab54d740c66a2a4b9d81035a2ef198ca1c17635f

Download Submit
C:\PROGRA~1\BMW_KEY\Drivers\USBDRI~1\ftser2k.sys

Filesize
59KB

MD5
678a73f56ddf84a08c31123c386e9967

SHA1
cadfb220a6e5168af8361e3ca25d9f082f0df0c4

SHA256
cefce93abf0928fbc361cc953b49d33bcc0376c4477d0ac1840e6b94c6de2e4f

SHA512
f7fd19f249fa53965ef517235a54b279050b8033c2dd917444c76cd5737c9a06b9e4fba14957b2383d1c17f0d221badee0d4632f49d56b602c810a229d127978

Download Submit
C:\Program Files\BMW_KEY\DMBMW.exe

Filesize
1.9MB

MD5
731bc6cdbc7bf9dc87a85dd87ac8caa9

SHA1
824cbf34b70f60d61947aebb558a8a12b49d342c

SHA256
c0b575b8c46beaa3db633e77c6652712deef46bcbf4a2d55879185377f6d72bf

SHA512
23304a16b9bc73ced771d451e30157c951279bec5a9012ed028834742fe82f30bb63494bfd1ad13252800e2f409c3b3cfe3a02a12e9f720fbe249fa774415095

Download Submit
C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIBUS.INF

Filesize
2KB

MD5
850d4cc5fabf66b5832ea4877b064c16

SHA1
fbecea98c87e2c90122e50c26b4f7e0bea699616

SHA256
57ec958458b8c6d99559a72473c7f2bcfb2b0ea4306598a50a72a4955668ae19

SHA512
3c5564dd868f9e5ca1324379066cf3eb705bb8a7af07b9161d119ee0ecb7a3b169d60f12aaa856649ced91fb56bc359d4a676f49549c99b35c5447bcc3ad972b

Download Submit
C:\Program Files\BMW_KEY\Drivers\USBDriver\FTDIport.INF

Filesize
3KB

MD5
469fde18639bac64ef50854687a0866e

SHA1
20d412c1d418ec6b8f1bc7bca74c98475fde6702

SHA256
c8b7acc471066bc7acf13768fcd35f3281851a476bace4e647d3928d00b5bb8f

SHA512
49da391e44778332d3e60b244c53d5593e10b981464a3b346948e816423209a0db698a1bd0a47feeabb2d12a3d2561c8500f7b1bd0abe29162c7fedf858fcd80

Download Submit
C:\Program Files\BMW_KEY\InstDrv.exe

Filesize
621KB

MD5
b61ef16354ba4970ac1190ad65ad642a

SHA1
cb753b1ea0d103572d3bfec51a80940db4a6a6b0

SHA256
080412360fc5bb363888fd7a5369c639447ada15c6117917f28c9c505daf2310

SHA512
3abaddb6d4312a838c18dd94541fdbcf38d6e8e2021e7a9286e3f83a0387899aa7b55c4de0df4e158a07b86a6694dfe1375b1d65525d1b86fe2c2024610ddb60

Download Submit
C:\Program Files\BMW_KEY\InstDrv.exe.tmp

Filesize
697KB

MD5
a650d0bba2dbdf3d45dde318ed51296b

SHA1
fe87799896dd69521d6808b9af43924635a2268e

SHA256
452a67385736daa29f915882db8664a28c34d3321338f8c019d674229dde5c17

SHA512
21497c68d04605288524eef25b3bfed81fc375f80743febf581f627da9b73f3b4e6b88290a17087f1ae49a8b42a42df89c34ee053898bdd9787917b9a8db538b

Download Submit
C:\Program Files\BMW_KEY\eng_drv_ins\Windows_XP_Installation_Guide temp.files\image003.jpg

Filesize
40KB

MD5
39cf0cc9ab7eb34cbeb4df27730cd394

SHA1
c110f6739bfddf9aa8f52f554196111c6528ca87

SHA256
9ebcff6ad7c9c4011afc3ea37e3bb1e9c6a4d8ffa9d8e4f5137a50dc0a06767d

SHA512
3b7341baec5157aaba7664f159cc7322e404f64f43f7c5003328b23fbf995d209837d62335fa8125dac130481938bb4cb9dd5cae79cb98024253d4cb8a3e19ce

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Filesize
8KB

MD5
75c954934cd33d25ce5a39d65ebab51e

SHA1
0c93844c4e063d324bb5432d56f5166cf06e83a1

SHA256
b531cf0a2dac1c051c91e9545b196f88060edd5a32807843eb44ea3e7072e3e4

SHA512
87b546f18612fa855d795724b4c1c0f724d8dfa1fd6bb92d9601606e1ddd90d0881a743fda7d8a677fcb5bce9c1a36a10cb66e1b88d3a517604da21f3aaf7621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Filesize
8KB

MD5
6e06904d708bb7ff9ef37727a4cbae9b

SHA1
eaa1ef4ef32a0bb82578545bfca304a970531555

SHA256
403ca7a3f94c0e42692da3adcca1253e1a30c6b0a84f63af4819fd3d7e2c230e

SHA512
697a73e705e88d9a4882e4282670d2b69f767b2efff5b236fd6efe70486dba6e9f5f6ea8774c3b2b0fce45c71614a0baf832d8af14e0cf9f337fed9135929444

Download Submit
C:\Users\Admin\AppData\Local\Temp\20241228182248731~YingInstall-TopFramePicture.bmp

Filesize
99KB

MD5
bc6929cf43081a4de421ab6af50aa4b1

SHA1
95c05ab09fec65f8bd2ab99fd0267b231a04060f

SHA256
7523a64eb26ad746666a12d988069aeec9d89c03a2c026c0878a7f73d204b03c

SHA512
d013e5c0e3fbb5a478bea05e85fedfa038df6c8dd2e4b0b777870a5ec7a0a79b841096384f1e0be76f5a6dc85f7819647681b37253f9a3596522db54d78b79b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\7956530790.tmp

Filesize
13.8MB

MD5
1209885b28a318d00d613b047e1c5b9b

SHA1
0165018d686f6e11ce7efd0f71c8d2e4ad1feb0e

SHA256
5cb9a0358e079d691c617bf8611c0e0370cd6498ff7d0eac5b0a709f57a46301

SHA512
1932ffa6621d43b58c4870ef2cc1bbcf0c6998bcd2c3e3b925ed84d688b5d3a388894881c2f06cca6687d910bfa653e2a999994096dad071a0edf9ee1f69abf8

Download Submit
C:\Windows\SysWOW64\FTLang.dll

Filesize
100KB

MD5
cdf91fb3cf82d2a5682c42714d8cb9c2

SHA1
749ce7db573f421bc520786e17ca0efa26822d81

SHA256
3392bf2a67f3774b58332fd1e45a3bddf87ca25edc3c40ef0c266f15e962114f

SHA512
f826acad305155b489b5403f04f6348bdec1c88c9798c871681cc1e7a5f3451a8cb4275d1b6055108d71c9947861d55fb08789016f39aed99728ad3f2c268f25

Download Submit
C:\Windows\SysWOW64\drivers\ftdibus.sys

Filesize
46KB

MD5
b283f1bc1ff852bd232449a4b3e3ce63

SHA1
1735a5f442a52ae782217da90596c6f62c16af45

SHA256
e9e97433b39c0c20d9602b13dc0b5db06212cdbd2ccf733b1f0ffa94bd7567aa

SHA512
0898ee85a25900b508895444b43b0c10ad17dcb24e97af56aaf1a69797932c4b554006a8f5226914c9abf93c433d486d1cba1016f7f354703c373349c75ba0a2

Download Submit
C:\Windows\SysWOW64\ftserui2.dll

Filesize
32KB

MD5
1452ce75a9ac31d29d552f3bcd62e64e

SHA1
9c55824bd4f8bd46d05388b017113201de6f5a1d

SHA256
e49ba33c49c921322c807d0ef21815cff0af3fc32c269c9f4cf32d57705b9c62

SHA512
36d64f5250d167722cbf69f6259d87d04067ff3a779f7a4d8686a8566d7373e824a51933378d3dfca65cb341e6a096d9758c64cc17ceaafed4c7a6a870c19161

Download Submit
memory/1936-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-30-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-313-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-312-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-124-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-31-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-371-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-26-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-16-0x0000000000427000-0x000000000042A000-memory.dmp

Filesize
12KB

Download
memory/1936-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-372-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4608-317-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4608-374-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download