Overview

overview

10

Static

static

1

e6712ae2ce...3N.exe

windows7-x64

10

e6712ae2ce...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe

  • Size

    971KB

  • MD5

    2f483b8b5b15e945811467511ebc3af0

  • SHA1

    7b7bbbcefe291db7f243124ca840ce5c54a8e646

  • SHA256

    e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023

  • SHA512

    400b1c5cc6e39f6a79e8fdc0b8cfe91f1b27c1c83619795aba73929707371498b999085cc1a69cea8ae13a212100be44fe6cc307d69644aa9c746636d5da033e

  • SSDEEP

    24576:TMjrW64T8eVpJ5V5N/7flrXyCBQR80FBmjRLrEH7p:Qjy64X31drPQR80FkjR8

Score
10/10
floxifbackdoordiscoverytrojanupx

Malware Config

Signatures

  • Floxif family
    floxif
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    backdoortrojanfloxif
  • Detects Floxif payload 1 IoCs
    backdoor
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 63 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe
    "C:\Users\Admin\AppData\Local\Temp\e6712ae2ce83ee6067944d8f7036a0c9e700b5336e1877801ed4fc4ef9484023N.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe
      "C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe" "--install"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" "C:\Program Files (x86)\DriverPack Notifier\bin\Tools\run.hta" "--install"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DriverPack Notifier\DriverPackNotifier.exe
    Filesize

    252KB

    MD5

    d663176b9297a432309140315169274c

    SHA1

    0f49833354b2b172491d8a32fd70c2bb35ae0535

    SHA256

    0659388dba26d26eada6d82ed38f22fb2b0a264d1cc4667cce7f4523c72d59be

    SHA512

    390372fba7408330c41db3c63b89ac67160c81e0f3e4cd9ec5ba656b41152bf48bd7b6c1a62b6c117ea3982da2d8c7e48b676da0f264f7c6887c8d8fc7e61878

    Download Submit

  • C:\Program Files (x86)\DriverPack Notifier\bin\Tools\main.js
    Filesize

    487KB

    MD5

    e4ab7f55bbef378fcd8903558584c7d3

    SHA1

    bd776e0e11af900c073efe0bc6c529a9d4c4f020

    SHA256

    c3e8f94143457535545c31e53eeef15c57ff3c35a12e97b2abab79a26585d509

    SHA512

    12bcc95f60296f4fb16c0e46c047fd4aab27d8c8bfd3e42fb2f6cd9c2611c67bce33909b9165c41c02a2ad023123b8c2bbd98a1502675e50a15cdf7abfad894a

    Download Submit

  • C:\Program Files (x86)\DriverPack Notifier\bin\Tools\run.hta
    Filesize

    1KB

    MD5

    107923a95de7b0358ffaa9346fac5739

    SHA1

    d7744f47121bdd3352291aae69caf6ccf5c612c3

    SHA256

    d954416c767ae944ecd3b17241e9921ac6d9336ab373b456b0480e54dcc093dc

    SHA512

    dea56713bab30ce2cf6e95488919056c529bedd494c3fa04124d144d09a1c15f6b69e8811ea04b86b52cfc8dae4600605d69c771f6b4fcb2a018cf902eee0e1a

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • memory/2160-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2160-6-0x000000000040F000-0x0000000000412000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2160-79-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5056-76-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download