Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2025 02:31

General

  • Target

    afbe9d9ccd4b3d867617a6f6ffab8d33cbfa51ba8b2dc86304bed22472696c44.exe

  • Size

    304KB

  • MD5

    99a8f9b0744a9bd51daefd91895fc65b

  • SHA1

    0cd4cbcda345917f91b6b246d4b50e75e148457a

  • SHA256

    afbe9d9ccd4b3d867617a6f6ffab8d33cbfa51ba8b2dc86304bed22472696c44

  • SHA512

    941e3cf23700207a17647d854b6184969e709af0f6ddb3029276be6be0b1602ddc786f401cc1dc9a08a464ee546b2d517eefc98bd1baa84bd3ae831e92c24420

  • SSDEEP

    3072:XLWyS8fUjVkmmdzjsQvVqRlkM4OAD/KLznBuB2JA2BjZ1G:ayTfURkJsQvMRlkM4RD/qzMfUN1G

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afbe9d9ccd4b3d867617a6f6ffab8d33cbfa51ba8b2dc86304bed22472696c44.exe
    "C:\Users\Admin\AppData\Local\Temp\afbe9d9ccd4b3d867617a6f6ffab8d33cbfa51ba8b2dc86304bed22472696c44.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\arp.exe
      arp -a
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.0.1 c3-e9-72-f0-56-d4
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2896
    • C:\Windows\SysWOW64\arp.exe
      arp -s 10.127.255.255 5f-28-24-8b-1e-e4
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2684
    • C:\Windows\SysWOW64\arp.exe
      arp -s 37.27.61.185 cf-e0-fe-aa-19-e1
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2884
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.22 8f-65-d3-b4-b0-b1
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:3032
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.251 97-aa-cb-91-28-61
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Windows\SysWOW64\arp.exe
      arp -s 224.0.0.252 7d-06-46-32-9d-a8
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2568
    • C:\Windows\SysWOW64\arp.exe
      arp -s 239.255.255.250 04-89-95-79-8c-e1
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2832
    • C:\Windows\SysWOW64\arp.exe
      arp -s 255.255.255.255 08-d2-e0-c9-75-00
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    71KB

    MD5

    4fcd7574537cebec8e75b4e646996643

    SHA1

    efa59bb9050fb656b90d5d40c942fb2a304f2a8b

    SHA256

    8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

    SHA512

    7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

  • memory/3020-3-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/3020-7-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.