floxif | 293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
Size

269KB
MD5

ed6c46e29d19fe16ede885f1e4e2f330
SHA1

231c2efeda93e845d4e6f81841df7002086b47fe
SHA256

293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195
SHA512

ddcc7e7dd6fc93fbaeedf7673a29d28780073dc5dcab9399541405352a4ba95e1ea1ff839c6927a34ac90c46bf825c934c6f4951559c1f90bb2081a4f0713523
SSDEEP

6144:UkLqdufoPDamz1pLBV+UdvrEFp7hKECUxr:r4PDa6BjvrEH7f7r

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000e000000023b6a-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000e000000023b6a-2.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
2628	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195n.exe
4880	icsys.icn.exe
3824	explorer.exe
4200	spoolsv.exe
4924	svchost.exe
1396	spoolsv.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023b6a-2.dat	upx
behavioral2/memory/2332-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2332-64-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
4880	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3824	explorer.exe
4924	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
4880	icsys.icn.exe
4880	icsys.icn.exe
3824	explorer.exe
3824	explorer.exe
4200	spoolsv.exe
4200	spoolsv.exe
4924	svchost.exe
4924	svchost.exe
1396	spoolsv.exe
1396	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2628	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	82
PID 2332 wrote to memory of 2628	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	82
PID 2332 wrote to memory of 2628	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	82
PID 2332 wrote to memory of 4880	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	83
PID 2332 wrote to memory of 4880	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	83
PID 2332 wrote to memory of 4880	2332	293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe	83
PID 4880 wrote to memory of 3824	4880	icsys.icn.exe	84
PID 4880 wrote to memory of 3824	4880	icsys.icn.exe	84
PID 4880 wrote to memory of 3824	4880	icsys.icn.exe	84
PID 3824 wrote to memory of 4200	3824	explorer.exe	85
PID 3824 wrote to memory of 4200	3824	explorer.exe	85
PID 3824 wrote to memory of 4200	3824	explorer.exe	85
PID 4200 wrote to memory of 4924	4200	spoolsv.exe	86
PID 4200 wrote to memory of 4924	4200	spoolsv.exe	86
PID 4200 wrote to memory of 4924	4200	spoolsv.exe	86
PID 4924 wrote to memory of 1396	4924	svchost.exe	87
PID 4924 wrote to memory of 1396	4924	svchost.exe	87
PID 4924 wrote to memory of 1396	4924	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe
"C:\Users\Admin\AppData\Local\Temp\293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- \??\c:\users\admin\appdata\local\temp\293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195n.exe
  c:\users\admin\appdata\local\temp\293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4880
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4200
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\293fac3cfccd066eefe05554679ffdc2b15d7e1bd14d6287076d6d8830437195n.exe

Filesize
58KB

MD5
832a6fd998f6f6dace0941f6acfad12b

SHA1
0bef24216645af00191e6cc822d3c72f1004a37b

SHA256
abc85b051d14891171bcc30b3e02c12a2d1714c86d805157339372fce40facf4

SHA512
cff08e2fe975bc231c15068cae0406542f83243dc22507e0c929c419fd4b1841de01ecb892d15a416525c73d94a15138d939066148b885a6cd5476170bcf4fcd

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
204cbae01c10163d1eb5d3751028f37c

SHA1
82204af86461d9dc883d383f21024e86ae94cd32

SHA256
083fdd4de787f97f58fc447687758d3bf820609ef95991d6cf575b10e47135b0

SHA512
2f73066b18eb31bb1bf288fb5737909cc971c9ef36df65a3dbaab19397a5f1dbdb0b58d8535d97c9fb42353db415aa01eeebb2afdc090009091aaf655c94b8a7

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
ea29b9f1dd98ab72fd6f074bcf2d3ddc

SHA1
9b9a005f084600229cb6442f4e7b5b08f950a6c8

SHA256
5675f911331872c2132b17c436308d80797535545c2a836a3d06e59daa65db62

SHA512
2fa968fad8e30ce39511ce730faa371396a52f2dbf4ae820d4d0f8a7a26babf02bbe906508a4cb192e1371119d2c36610cdabcfbeca21bd94d7e60f9fbf763b1

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
db621a8cd87412f40201edb1227e6521

SHA1
4b3139334aff76b581d4253cce6a070e39604a5e

SHA256
a708170c7974639ea27f11cc11f772b4e0911b0999945dea64f3cc80812defdf

SHA512
de450e1ae58e2d3e303ff193e6d712d0bfc9ab7ec3da98535fc0917c9a452f81015c91277e390a9b38b21ad2b1a51b7805eb4c58c086f64144846c143afee371

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
3e9e592e988567ef033889cabf7f076e

SHA1
53030ebc8ff6da76b081fd921c28bac9b98f0226

SHA256
fe2ebc3dd6b7d8d2cb4c16e2b06a708ca2c35df9565bf3369862d6013691ae83

SHA512
c1d2ce0167a0be48dae3d4b262da50099d6163654cc60700ada51f081a62e0a5e75559adbda02560fbc4f239ac0ebeef573034be5b924a16d7ecb0c9755d60dd

Download Submit
memory/1396-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2332-11-0x000000000040E000-0x0000000000411000-memory.dmp

Filesize
12KB

Download
memory/2332-64-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2332-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3824-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4924-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download