floxif | 18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267

General

Target

18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
Size

1.7MB
MD5

06c92a3cb2c2f734b7894139edc6a1bf
SHA1

16a6596c5e7e5217c2dbcadf7888e9402b9206c9
SHA256

18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267
SHA512

ac43639abea8ec481f1a54f1ab00be1bb023a7347d018b7cb15860fcb1fad3f1ce23f713db5ffba718fe2b7a92d1ddb8478815c9786ed75e607460f0a0663636
SSDEEP

49152:ugwRNKXjZs9zaCMyr+8yCIGxONJUGDHnQjsMGCegWgG:ugwRE98zTrLyn8NRe6G

Score

10^/10

floxif backdoor bootkit defense_evasion discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023bb1-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023bb1-1.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe

Executes dropped EXE 2 IoCs

pid	Process
1656	CoolInstall.exe
2964	CxDir.exe

Loads dropped DLL 2 IoCs

pid	Process
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
1656	CoolInstall.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	CoolInstall.exe
File opened (read-only)	\??\Y:	CoolInstall.exe
File opened (read-only)	\??\H:	CoolInstall.exe
File opened (read-only)	\??\M:	CoolInstall.exe
File opened (read-only)	\??\P:	CoolInstall.exe
File opened (read-only)	\??\R:	CoolInstall.exe
File opened (read-only)	\??\U:	CoolInstall.exe
File opened (read-only)	\??\V:	CoolInstall.exe
File opened (read-only)	\??\e:	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
File opened (read-only)	\??\J:	CoolInstall.exe
File opened (read-only)	\??\L:	CoolInstall.exe
File opened (read-only)	\??\N:	CoolInstall.exe
File opened (read-only)	\??\Q:	CoolInstall.exe
File opened (read-only)	\??\T:	CoolInstall.exe
File opened (read-only)	\??\W:	CoolInstall.exe
File opened (read-only)	\??\Z:	CoolInstall.exe
File opened (read-only)	\??\S:	CoolInstall.exe
File opened (read-only)	\??\F:	CoolInstall.exe
File opened (read-only)	\??\E:	CoolInstall.exe
File opened (read-only)	\??\G:	CoolInstall.exe
File opened (read-only)	\??\I:	CoolInstall.exe
File opened (read-only)	\??\K:	CoolInstall.exe
File opened (read-only)	\??\O:	CoolInstall.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CxDir.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2928	cmd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023bb1-1.dat	upx
behavioral2/memory/4480-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4480-112-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4480-113-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4480-118-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4480-123-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4480-129-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CoolInstall\CoolInstall.log	CoolInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoolInstall.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1656	CoolInstall.exe
1656	CoolInstall.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2928	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe	83
PID 4480 wrote to memory of 2928	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe	83
PID 2928 wrote to memory of 4304	2928	cmd.exe	85
PID 2928 wrote to memory of 4304	2928	cmd.exe	85
PID 4480 wrote to memory of 1656	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe	86
PID 4480 wrote to memory of 1656	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe	86
PID 4480 wrote to memory of 1656	4480	18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe	86
PID 1656 wrote to memory of 1536	1656	CoolInstall.exe	87
PID 1656 wrote to memory of 1536	1656	CoolInstall.exe	87
PID 1536 wrote to memory of 2964	1536	cmd.exe	89
PID 1536 wrote to memory of 2964	1536	cmd.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4304	attrib.exe

C:\Users\Admin\AppData\Local\Temp\18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe
"C:\Users\Admin\AppData\Local\Temp\18e639153c376744677e039ea1ed5d41df80972626579030c21f13e154003267.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Windows\Temp\CoolInstall"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Windows\Temp\CoolInstall"
    3⤵
    - Views/modifies file attributes
    PID:4304
- C:\Windows\Temp\CoolInstall\CoolInstall.exe
  "C:\Windows\Temp\CoolInstall\CoolInstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\temp\GetPart.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\Temp\COOLIN~1\Bin\CxDir\x64\CxDir.exe
      "C:\Windows\Temp\COOLIN~1"\Bin\CxDir\x64\CxDir.exe -mohong
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Windows\Temp\CoolInstall\Bin\CxDir\x64\CxDir.exe

Filesize
37KB

MD5
2a0ad45c6778fe82c23570a83ea74cc7

SHA1
9a197682a0bed87654040455ad40c8b5c98d3479

SHA256
52f39973653ea125d8c02a6d667383696adfcd73219b73669e9d8a3b362298db

SHA512
e6df4f9599809f19063ed1b3ac3eaf92266ed00dbfd5dbe60f7f814b20a0f33e18cc9bae44aede50679790d5f4f4059c4086bd1c92bc1c67f7524d928a5957eb

Download Submit
C:\Windows\Temp\CoolInstall\CoolInstall.exe

Filesize
524KB

MD5
a1241911fbd37daddf25f07df292031c

SHA1
6230ce248e5610a0f1360afebcf90994f60975b8

SHA256
bd360c68dd36e07ba2057032ea240808d51e0360b0d070e3ddbfb2a5833b6f62

SHA512
9cdabdd669ee2d2a341e95706c613a1166324888d994f0f5df2df25bd9a536544c91d2624bf3136dfb15feaab4d7af14f60364640dd7d0e3932cd7aa608675ed

Download Submit
C:\Windows\Temp\CoolInstall\CoolInstall.ini

Filesize
3KB

MD5
97381f5cbfd9a28f3a44de1332b42cb4

SHA1
0a46a38565ecce67c86121ae09b3e254997dfbdf

SHA256
3a36e06bd3cf061d87a9c89d037dae8c0b1f887d56a5720fcf4d3b87bfcf272f

SHA512
b78d9ddbdaef06941307804e1517795f7bf8fd2b08d4c78fd6cdb96b06546f663b95503235209f17cc8931d59701ec69b3bfe1aac303ddc030e26690ff988d61

Download Submit
C:\Windows\Temp\CoolInstall\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\temp\GetPart.bat

Filesize
89B

MD5
a2630bf30b62a3cf58a53eea2f5fef01

SHA1
f8cfc2ad99c5201245b30b72b84ba126b2d51f4b

SHA256
cd7e3ff0a009a780e87b4251464da2925b2e4fc58c94c028688ac270414be530

SHA512
a84991cfb9801237a4125e990cfb87349c2976445094f722db4b672f13a44ac79dd4ce95510441dea36a2df5611df14ba1b2c5cf3edd3a7412f935e7b02e6a8a

Download Submit
C:\Windows\temp\GetPart.log

Filesize
143B

MD5
c968ece65646a70827cbf11c3244ba75

SHA1
baef4899acb17d2cd8f5fec04b09fd0178606220

SHA256
321d19fdbd85532a208c43ea8394af7d9d269316dc444f86b29ff186e6d37ce1

SHA512
afa148baa0a30f76a51a2bab59dedd921a6363ce22b7da61babf3d0ee556317efd10143b17f8a07e43e9826f75352e370ee35ffbbb4316c5b4d445ea38e1882b

Download Submit
memory/2964-105-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4480-5-0x0000000000413000-0x0000000000416000-memory.dmp

Filesize
12KB

Download
memory/4480-109-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4480-112-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-113-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-118-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-123-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-129-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads