Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 13:52 UTC

General

  • Target

    e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe

  • Size

    971KB

  • MD5

    2f483b8b5b15e945811467511ebc3af0

  • SHA1

    7b7bbbcefe291db7f243124ca840ce5c54a8e646

  • SHA256

    e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023

  • SHA512

    400b1c5cc6e39f6a79e8fdc0b8cfe91f1b27c1c83619795aba73929707371498b999085cc1a69cea8ae13a212100be44fe6cc307d69644aa9c746636d5da033e

  • SSDEEP

    24576:TMjrW64T8eVpJ5V5N/7flrXyCBQR80FBmjRLrEH7p:Qjy64X31drPQR80FkjR8

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 63 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe
    "C:\Users\Admin\AppData\Local\Temp\e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe
      "C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe" "--install"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" "C:\Program Files (x86)\DriverPack Notifier\bin\Tools\run.hta" "--install"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2520

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.51.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.51.23.in-addr.arpa
    IN PTR
    Response
    7.98.51.23.in-addr.arpa
    IN PTR
    a23-51-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.51.23.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    7.98.51.23.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe

    Filesize

    252KB

    MD5

    d663176b9297a432309140315169274c

    SHA1

    0f49833354b2b172491d8a32fd70c2bb35ae0535

    SHA256

    0659388dba26d26eada6d82ed38f22fb2b0a264d1cc4667cce7f4523c72d59be

    SHA512

    390372fba7408330c41db3c63b89ac67160c81e0f3e4cd9ec5ba656b41152bf48bd7b6c1a62b6c117ea3982da2d8c7e48b676da0f264f7c6887c8d8fc7e61878

  • C:\Program Files (x86)\DriverPack Notifier\bin\Tools\main.js

    Filesize

    487KB

    MD5

    e4ab7f55bbef378fcd8903558584c7d3

    SHA1

    bd776e0e11af900c073efe0bc6c529a9d4c4f020

    SHA256

    c3e8f94143457535545c31e53eeef15c57ff3c35a12e97b2abab79a26585d509

    SHA512

    12bcc95f60296f4fb16c0e46c047fd4aab27d8c8bfd3e42fb2f6cd9c2611c67bce33909b9165c41c02a2ad023123b8c2bbd98a1502675e50a15cdf7abfad894a

  • C:\Program Files (x86)\DriverPack Notifier\bin\Tools\run.hta

    Filesize

    1KB

    MD5

    107923a95de7b0358ffaa9346fac5739

    SHA1

    d7744f47121bdd3352291aae69caf6ccf5c612c3

    SHA256

    d954416c767ae944ecd3b17241e9921ac6d9336ab373b456b0480e54dcc093dc

    SHA512

    dea56713bab30ce2cf6e95488919056c529bedd494c3fa04124d144d09a1c15f6b69e8811ea04b86b52cfc8dae4600605d69c771f6b4fcb2a018cf902eee0e1a

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • memory/2160-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2160-6-0x000000000040F000-0x0000000000412000-memory.dmp

    Filesize

    12KB

  • memory/2160-79-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/5056-76-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.