Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2025-01-02...ia.exe

windows7-x64

10

2025-01-02...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 10:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-02_0333e924ade0a04cd0468f1596e1d2df_floxif_hijackloader_mafia.exe

  • Size

    2.7MB

  • MD5

    0333e924ade0a04cd0468f1596e1d2df

  • SHA1

    d9b8f4c38a7c09dbfd14fa90919536ef8dfa6784

  • SHA256

    e1b8399bd68872885e8fd77727e1ddd51f0a7b2334b75b82adf5d14c915e55d6

  • SHA512

    c737efe89c5ae2ed75f74d8668821a1802288b99a37984c4ef45b95521933cba1419194e58127ca07e9c9c6f3bbbda722adaa375f40d66f7927f7b5e6fc98aee

  • SSDEEP

    49152:Flks4A6lVLX6Sc60TNUFFIIsTp69FlNN7boUvH6u//zHPwhXPwMQ9i9ZMW/KMZKK:/n6r6+0TUFIIsTY9Fl/7boUi+zwZPwMl

Score
10/10
floxifbackdoordiscoverytrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-02_0333e924ade0a04cd0468f1596e1d2df_floxif_hijackloader_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-02_0333e924ade0a04cd0468f1596e1d2df_floxif_hijackloader_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 812
      2⤵
      • Program crash
      PID:3744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 816
      2⤵
      • Program crash
      PID:3472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4724 -ip 4724
    1⤵
      PID:3832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4724 -ip 4724
      1⤵
        PID:3616

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        182.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        182.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        181.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        23.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        23.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        213 B
         145 B
         3
        1

        DNS Request

        97.17.167.52.in-addr.arpa

        DNS Request

        97.17.167.52.in-addr.arpa

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        182.129.81.91.in-addr.arpa
        dns
        72 B
         147 B
         1
        1

        DNS Request

        182.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        181.129.81.91.in-addr.arpa
        dns
        72 B
         147 B
         1
        1

        DNS Request

        181.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\System\symsrv.dll
        Filesize

        67KB

        MD5

        7574cf2c64f35161ab1292e2f532aabf

        SHA1

        14ba3fa927a06224dfe587014299e834def4644f

        SHA256

        de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

        SHA512

        4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

        Download Submit

      • memory/4724-4-0x0000000010000000-0x0000000010030000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4724-6-0x0000000000A11000-0x0000000000A12000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4724-9-0x0000000010000000-0x0000000010030000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4724-7-0x0000000000A10000-0x0000000000CB8000-memory.dmp

        Filesize

        2.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.