Overview

overview

10

Static

static

3

52300f3a3b...de.exe

windows7-x64

10

52300f3a3b...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe

  • Size

    1.1MB

  • MD5

    52e6f9c2fd4ebc2aec063ce075743bba

  • SHA1

    8cfb524bddce4f8496bd4a79a3df4bac9fcfa78f

  • SHA256

    52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de

  • SHA512

    af0517accfa37a455140f3522b6966093594719bd1c02ea703ad8de2980eb08576a35b106b7e756cb51368fd73684ff4259a77b09bce9a83e3f468d2eaa52f44

  • SSDEEP

    24576:PFOaftEqhygkPuu09cUdr4tSSiwIvx9mw/rEH7F:tu8Mse8mH

Score
10/10
floxifbackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Detects Floxif payload 1 IoCs
    backdoor
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe
    "C:\Users\Admin\AppData\Local\Temp\52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2784
    • \??\c:\users\admin\appdata\local\temp\52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe 
      c:\users\admin\appdata\local\temp\52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2700
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2956
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2716
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2616
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:556
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2720
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:21 /f
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              • Suspicious use of AdjustPrivilegeToken
              PID:2016
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:22 /f
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              • Suspicious use of AdjustPrivilegeToken
              PID:1768
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:23 /f
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              • Suspicious use of AdjustPrivilegeToken
              PID:988
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:1400

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    AppInit DLLs

    1
    T1546.010

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      33ef1384a44ded0a684d190b641e5eb7

      SHA1

      dce3b64582c3367d546eb2dbbb99cb4d2faaa72e

      SHA256

      cdb1f4d9d22d3f64334101278ac87ba4e4d4fc106b4feacf0f67a26da559f268

      SHA512

      0d406d4745418da6eb5fffe27d0645b755bf0eb90adf5ca68c08181dbc58eac340fd6120aa5ab15f4c58d9fc67cb12f05336f3bc97cfb4f3e93f8061699db5a6

      Download Submit

    • \Program Files\Common Files\System\symsrv.dll
      Filesize

      67KB

      MD5

      7574cf2c64f35161ab1292e2f532aabf

      SHA1

      14ba3fa927a06224dfe587014299e834def4644f

      SHA256

      de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

      SHA512

      4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

      Download Submit

    • \Users\Admin\AppData\Local\Temp\52300f3a3b0410f9450e76c833e19b4807823f7e0c91abdb3c3c8be9bf2226de.exe 
      Filesize

      1.0MB

      MD5

      6bd07f0b77075bf63adbbcbede0fff95

      SHA1

      b86f3c45da4601af03f324d9e96ae5641d59a7e9

      SHA256

      c851e0141c1348622727466f372bb54f073de3987cb72fe82a6fb1349f3f81f6

      SHA512

      d487a2a87094bfbd2a8975777551d57a298727b2c37700eecf818b604677bc6ae32aba659413ee215e16120d684503c1d6bc07381d9c23e2935c4852cabc26e8

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      ad4bd97a1418223d259ddcd0b42a368b

      SHA1

      d3f8ad156b7ef814a87e9f0fdc4af1599e1b6cc1

      SHA256

      9cf6979c3e90f56b62c462a0602ddb879f60d2fbfbdce33f3496a73ecf6ac4cf

      SHA512

      91f37fa23f32edc011fb5b7ba0ca072ebc4022f3631c74cf926cc6e64aa3ba3cc2d35a2559a3504fbf9f783c265ace51bf6bc39cfe07f3245c91c51ce9085f15

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      a9a93914926ea2fc086c4a1cff01a2e6

      SHA1

      3cb38252a53aaca06ba48889beafb19d9d34e85e

      SHA256

      735554de5273e1e01fbed0e6dce0e79b3cb40637fb7dca53e60f06b2ca978488

      SHA512

      11c6aa08b3cad26a446b811a5f3bdcbf79f8ae8bb854dc806253e218463347514b941477b7bdf17e500e398ce86ca61fc532a6ddd977ebfbdb24e9ec0b838c06

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      f91bc49d0b7288bf42013a77adab3d23

      SHA1

      c87550838599d26e745c5a9ce5f1ce7cde4eaae7

      SHA256

      f6d9d3bcb64b1c60623433af053d16d6414e5cb26ebb8e3d5c9df1363831522d

      SHA512

      9741aefb7e7d12c8c52e672e582e17fa8992a9d5ea9a2d1e3ca4e8526c71028e8fb1d24432cdef9c346b1fdb3ebbcfe5e15216915c0f80480742dd7bad2ce2cf

      Download Submit

    • memory/556-95-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/556-120-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/556-66-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/988-133-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/988-132-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1768-116-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1768-115-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2016-90-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2016-93-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2616-53-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2616-64-0x00000000004F0000-0x000000000050F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2616-84-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2616-82-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2700-96-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2700-103-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2700-17-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2700-63-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2716-91-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2716-117-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2716-40-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2716-97-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2720-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2720-83-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2720-78-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2784-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2784-88-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2956-72-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2956-87-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2956-86-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2956-27-0x0000000010000000-0x0000000010030000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2956-38-0x0000000002100000-0x000000000211F000-memory.dmp

      Filesize

      124KB

      Download