floxif | 5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42

Analysis

max time kernel
118s
max time network
58s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
Size

864KB
MD5

fb9b45f241ce99412b0ef80a71bd06a0
SHA1

4eb6e1c1a42791bb3210a07b6ccfb98277e07622
SHA256

5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42
SHA512

afde9fbdf790598db0905990dd02b5c7ca0d3869b2f32ca9f9411098d8fcd8ecd71f5154b842171ee20ba1233404797fda66234b0de82c0cefb2775fa8ddd7f4
SSDEEP

24576:aXwOrR9VrvETBjZB17JjWf4smDriPgkRhTj9SrTiIYxrEH7J:agwR7ETBjZpm4sgrUfSr+IF

Score

10^/10

floxif backdoor bootkit defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2792	CoolInstall.exe
1924	CxDir.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
2792	CoolInstall.exe
2844	cmd.exe
2844	cmd.exe
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	CoolInstall.exe
File opened (read-only)	\??\N:	CoolInstall.exe
File opened (read-only)	\??\Z:	CoolInstall.exe
File opened (read-only)	\??\e:	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File opened (read-only)	\??\G:	CoolInstall.exe
File opened (read-only)	\??\J:	CoolInstall.exe
File opened (read-only)	\??\O:	CoolInstall.exe
File opened (read-only)	\??\R:	CoolInstall.exe
File opened (read-only)	\??\S:	CoolInstall.exe
File opened (read-only)	\??\T:	CoolInstall.exe
File opened (read-only)	\??\X:	CoolInstall.exe
File opened (read-only)	\??\F:	CoolInstall.exe
File opened (read-only)	\??\L:	CoolInstall.exe
File opened (read-only)	\??\Q:	CoolInstall.exe
File opened (read-only)	\??\U:	CoolInstall.exe
File opened (read-only)	\??\V:	CoolInstall.exe
File opened (read-only)	\??\H:	CoolInstall.exe
File opened (read-only)	\??\K:	CoolInstall.exe
File opened (read-only)	\??\M:	CoolInstall.exe
File opened (read-only)	\??\P:	CoolInstall.exe
File opened (read-only)	\??\W:	CoolInstall.exe
File opened (read-only)	\??\Y:	CoolInstall.exe
File opened (read-only)	\??\E:	CoolInstall.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CxDir.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2784	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012263-1.dat	upx
behavioral1/memory/2496-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2792-89-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-115-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2792-117-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-121-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-125-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-129-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-133-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2496-145-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL.tmp	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL.dat	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CoolInstall\CoolInstall.log	CoolInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoolInstall.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	CoolInstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 56003100000000002b5a120b1000756e617474656e6400003e0008000400efbe2b5a120b2b5a120b2a00000093a4010000000500000000000000000000000000000075006e0061007400740065006e006400000018000000	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 46003100000000002b5a120b100042696e00340008000400efbe2b5a120b2b5a120b2a000000b1950100000006000000000000000000000000000000420069006e00000012000000	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5c003100000000002b5a120b1200434f4f4c494e7e310000440008000400efbe2b5a120b2b5a120b2a000000ad95010000000700000000000000000000000000000043006f006f006c0049006e007300740061006c006c00000018000000	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	CoolInstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	CoolInstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000004a591a4a100057696e646f7773003c0008000400efbeee3a851a4a591a4a2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	CoolInstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000002b5a130b100054656d700000360008000400efbeee3a881a2b5a130b2a000000850e0000000001000000000000000000000000000000540065006d007000000014000000	CoolInstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	CoolInstall.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	CoolInstall.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
Token: SeDebugPrivilege	2792	CoolInstall.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe
2792	CoolInstall.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2784	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	29
PID 2496 wrote to memory of 2784	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	29
PID 2496 wrote to memory of 2784	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	29
PID 2496 wrote to memory of 2784	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	29
PID 2784 wrote to memory of 2584	2784	cmd.exe	31
PID 2784 wrote to memory of 2584	2784	cmd.exe	31
PID 2784 wrote to memory of 2584	2784	cmd.exe	31
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2496 wrote to memory of 2792	2496	5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe	32
PID 2792 wrote to memory of 2844	2792	CoolInstall.exe	33
PID 2792 wrote to memory of 2844	2792	CoolInstall.exe	33
PID 2792 wrote to memory of 2844	2792	CoolInstall.exe	33
PID 2792 wrote to memory of 2844	2792	CoolInstall.exe	33
PID 2844 wrote to memory of 1924	2844	cmd.exe	35
PID 2844 wrote to memory of 1924	2844	cmd.exe	35
PID 2844 wrote to memory of 1924	2844	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe
"C:\Users\Admin\AppData\Local\Temp\5dd07f0dfddb6aabee22f8a31ba392a87adc53c98c05e0539d2f5cc81c773c42N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Windows\Temp\CoolInstall"
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Windows\Temp\CoolInstall"
    3⤵
    - Views/modifies file attributes
    PID:2584
- C:\Windows\Temp\CoolInstall\CoolInstall.exe
  "C:\Windows\Temp\CoolInstall\CoolInstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\cmd.exe
    cmd /c C:\Windows\temp\GetPart.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\Temp\COOLIN~1\Bin\CxDir\x64\CxDir.exe
      "C:\Windows\Temp\COOLIN~1"\Bin\CxDir\x64\CxDir.exe -mohong
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Windows\Temp\CoolInstall\Bin\unattend\unattend.xml

Filesize
2KB

MD5
af1da95a0e0da38ceeb32770837a9e8b

SHA1
28a0c1ed5db3be5aae819dc71e9654ec0d9f1a36

SHA256
be6d2b30b387b279187ee45ac4c1d4651ad64c8cb76428ae1943d750fb2dd7c6

SHA512
9f3fb5098bd42d5fd5f975efc525e95701c08d1e926e4542c006c3b05549ed973fd9843211b57b04fc823c46a19f438973dba9a9b663dd1cb935694035d5f765

Download Submit
C:\Windows\Temp\CoolInstall\CoolInstall.ini

Filesize
3KB

MD5
05335c93f57426005b18987b8fdf0d2f

SHA1
b2c66e83c403cdf21bc5f40e3892e73aef58be59

SHA256
cfeafa9e97b6a8798b1e648eb82b5c8fbf2558ad9a73ec792d72135ec11cf446

SHA512
ea137b3bdec4fa757406fbc6454851d4c55064712bf659e9ceaaada69c0bf82c52a8a8f0e7181d17be32a87b51b803bcdabaecdf0e947c16f2ce0afebe3e2423

Download Submit
C:\Windows\Temp\CoolInstall\Lang\1033.lng

Filesize
22KB

MD5
6d04eacca0187a9f7d29d7c33f557024

SHA1
ed4d53dc1e95dad2c514ef043ee351b2696392f9

SHA256
c71694d4e1240f03ad855fc7594155fef253897e6d8222bc62985690840066e7

SHA512
14a833a6ef0951bb756e6ffe3ca01aa1191cfc7617a2342d09f08615734ebba3e5323b6b7c0782f818d8526a62c19b602e0ccabf429ad88a271bb5900d8a81a6

Download Submit
C:\Windows\Temp\GetPart.bat

Filesize
89B

MD5
a2630bf30b62a3cf58a53eea2f5fef01

SHA1
f8cfc2ad99c5201245b30b72b84ba126b2d51f4b

SHA256
cd7e3ff0a009a780e87b4251464da2925b2e4fc58c94c028688ac270414be530

SHA512
a84991cfb9801237a4125e990cfb87349c2976445094f722db4b672f13a44ac79dd4ce95510441dea36a2df5611df14ba1b2c5cf3edd3a7412f935e7b02e6a8a

Download Submit
C:\Windows\temp\GetPart.log

Filesize
143B

MD5
665f445419977dc386ececd9a6cfe04a

SHA1
46fc1ff30c42ee6266eaf3d34d949a05c3da50ec

SHA256
f0f7d43d3f68ecbcb97d23a2233f494d4bf2b62395dee34f14b81a0353067f00

SHA512
7e36df9347230c1e9dcc92bccee7e738f59f8657e4e110732ceb9d90c23a721b6bd2937e93828ee35a0ace195321128a41bf74505919601ba8e444973d586b7b

Download Submit
\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL.tmp

Filesize
4.1MB

MD5
665538abe5eda99a86a319444c5d803f

SHA1
2286ddf2b47aa1b37c5cadc863312c17b28b473d

SHA256
eb80c7950e0a7edc47b712bfeadc49f57f7f2c5ba5c30964c06388086f6cb658

SHA512
ee150e6664cd524cf99b36dd6637ff35fc4278da02652f420a065fa9a9d38d5d899d9fe13d6772a0962f2a3b7305763c31029633569457a5fcea2765ad2b05b7

Download Submit
\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

Filesize
416KB

MD5
22ba4add9915ae023eefd5d843ed20bb

SHA1
e308ad908b1af42fc90b272ee379000f1fa64afa

SHA256
c83a4413a7012ab44280a0e8c8c85e0fe2b63e444455caf84ac9839ffed75473

SHA512
09c44c466211637304d851784fb8ad606101e0afdd2c4cfe037c2ba3089fce4c597f69f211b9a641bbd87f58e9796c0cd3ef9c29fecfd4d6fbdaf7af01c7c00d

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Windows\Temp\COOLIN~1\Bin\CxDir\x64\CxDir.exe

Filesize
37KB

MD5
2a0ad45c6778fe82c23570a83ea74cc7

SHA1
9a197682a0bed87654040455ad40c8b5c98d3479

SHA256
52f39973653ea125d8c02a6d667383696adfcd73219b73669e9d8a3b362298db

SHA512
e6df4f9599809f19063ed1b3ac3eaf92266ed00dbfd5dbe60f7f814b20a0f33e18cc9bae44aede50679790d5f4f4059c4086bd1c92bc1c67f7524d928a5957eb

Download Submit
\Windows\Temp\CoolInstall\CoolInstall.exe

Filesize
524KB

MD5
a1241911fbd37daddf25f07df292031c

SHA1
6230ce248e5610a0f1360afebcf90994f60975b8

SHA256
bd360c68dd36e07ba2057032ea240808d51e0360b0d070e3ddbfb2a5833b6f62

SHA512
9cdabdd669ee2d2a341e95706c613a1166324888d994f0f5df2df25bd9a536544c91d2624bf3136dfb15feaab4d7af14f60364640dd7d0e3932cd7aa608675ed

Download Submit
memory/1924-110-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2496-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-121-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-125-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-129-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-115-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-133-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2496-5-0x000000000040A000-0x000000000040D000-memory.dmp

Filesize
12KB

Download
memory/2496-145-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2792-117-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2792-114-0x0000000006AA0000-0x0000000006AA2000-memory.dmp

Filesize
8KB

Download
memory/2792-89-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2792-148-0x00000000731A0000-0x00000000735AB000-memory.dmp

Filesize
4.0MB

Download