Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 01:52 UTC

General

  • Target

    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe

  • Size

    461KB

  • MD5

    3671d6a9ca42f394c235d6ef8ae4a071

  • SHA1

    f2efbef6b83bebdb8af7e44fcaa0a99169d14439

  • SHA256

    636636122ced4a0845c494c482abb6ad7c3b7b1bda46a66ae41f723cee3a4600

  • SHA512

    c4176a1562490a63b513c48d10a8d5026c649576aa6fc7d6175730715d595c4f52604b4396bcf9714ce545ad82af44739cbd90ba01524dca8615812c1ba7aaa0

  • SSDEEP

    12288:SJRL3UmCb6U38Y9de3ANbCS0Z8MfsVdxenVWqqPIBONhxs8hmhSBjvrEH7QK:SJRL3Qp9dNNbCiMfsVf1/xs8hmCrEH7F

Malware Config

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Detects Floxif payload 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2124

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5isohu.com
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    www.aieov.com
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    Remote address:
    8.8.8.8:53
    Request
    www.aieov.com
    IN A
    Response
    www.aieov.com
    IN A
    45.33.18.44
    www.aieov.com
    IN A
    198.58.118.167
    www.aieov.com
    IN A
    72.14.185.43
    www.aieov.com
    IN A
    45.79.19.196
    www.aieov.com
    IN A
    45.56.79.23
    www.aieov.com
    IN A
    45.33.20.235
    www.aieov.com
    IN A
    173.255.194.134
    www.aieov.com
    IN A
    96.126.123.244
    www.aieov.com
    IN A
    72.14.178.174
    www.aieov.com
    IN A
    45.33.2.79
    www.aieov.com
    IN A
    45.33.23.183
    www.aieov.com
    IN A
    45.33.30.197
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    Remote address:
    45.33.18.44:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Tue, 28 Jan 2025 01:52:12 GMT
    content-type: text/html
    content-length: 175
    connection: close
  • flag-us
    DNS
    44.18.33.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.18.33.45.in-addr.arpa
    IN PTR
    Response
    44.18.33.45.in-addr.arpa
    IN PTR
    li972-44memberslinodecom
  • flag-us
    DNS
    159.96.196.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.96.196.23.in-addr.arpa
    IN PTR
    Response
    159.96.196.23.in-addr.arpa
    IN PTR
    a23-196-96-159deploystaticakamaitechnologiescom
  • flag-us
    GET
    http://www.aieov.com/logo.gif
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    Remote address:
    45.33.18.44:80
    Request
    GET /logo.gif HTTP/1.1
    Accept: */*
    Host: www.aieov.com
    Response
    HTTP/1.1 403 Forbidden
    server: openresty/1.13.6.1
    date: Tue, 28 Jan 2025 01:52:16 GMT
    content-type: text/html
    content-length: 175
    x-fail-reason: Bad Actor
    connection: close
  • flag-us
    DNS
    5isohu.com
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    Remote address:
    8.8.8.8:53
    Request
    5isohu.com
    IN A
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 45.33.18.44:80
    http://www.aieov.com/logo.gif
    http
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    336 B
    503 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 45.33.18.44:80
    http://www.aieov.com/logo.gif
    http
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    336 B
    529 B
    6
    4

    HTTP Request

    GET http://www.aieov.com/logo.gif

    HTTP Response

    403
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    www.aieov.com
    dns
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    59 B
    251 B
    1
    1

    DNS Request

    www.aieov.com

    DNS Response

    45.33.18.44
    198.58.118.167
    72.14.185.43
    45.79.19.196
    45.56.79.23
    45.33.20.235
    173.255.194.134
    96.126.123.244
    72.14.178.174
    45.33.2.79
    45.33.23.183
    45.33.30.197

  • 8.8.8.8:53
    44.18.33.45.in-addr.arpa
    dns
    70 B
    111 B
    1
    1

    DNS Request

    44.18.33.45.in-addr.arpa

  • 8.8.8.8:53
    159.96.196.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    159.96.196.23.in-addr.arpa

  • 8.8.8.8:53
    5isohu.com
    dns
    2025-01-28_3671d6a9ca42f394c235d6ef8ae4a071_avoslocker_cobalt-strike_floxif.exe
    56 B
    117 B
    1
    1

    DNS Request

    5isohu.com

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    56.163.245.4.in-addr.arpa

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • C:\Users\Admin\AppData\Local\Temp\log.txt

    Filesize

    2KB

    MD5

    bcfd43a8c5cbf65160a6f03672c85c27

    SHA1

    026b779e49890196c494edda4fc3450eba7f765d

    SHA256

    da1c41c66848699870e39acd598e0f7dc0a8e3357424382d39961ba944064af8

    SHA512

    a84da9ec482a39c6638027f52b8b8ed932cb788d158b0a7b7a12d58895da7c32a80cfbb904a8fe4056554f3f56a3fd4416a91173ac520d1d123b44d7340be3b6

  • C:\Users\Admin\AppData\Local\Temp\log.txt

    Filesize

    2KB

    MD5

    794a0ee47bd90eb7d0c66c648a91d8f9

    SHA1

    f6a40c3a65a71e70fe60ae8dc8b2224d0da2f8cc

    SHA256

    ba89eee125ea590357276662f7e4acb9564cb98d6b75728ada6570735e5d27d4

    SHA512

    d9d725cbea323158ec13c6273c14f5e83251f81c3d073964ec92eda5cb653937d92bdcefd05f630c9aabb88a8f43d1064771451075fb40658b52d8b2bc0557fa

  • C:\Users\Admin\AppData\Local\Temp\log.txt

    Filesize

    5KB

    MD5

    db102e81b0dd5ebc13a6219db373d388

    SHA1

    672205542123dbcd87ea24be345ec4b2074e23eb

    SHA256

    ea2b0ff509dec9d4b015ec2233cf4236599f3ff428e93c3fa3c9a3527dd984db

    SHA512

    4a34deb471a3a3de72b2f637e9ec5333639ac8f92433c61c7e8196203502e0eab057349cd3735d7239e5201a34f3c777c49f4af7f0eff959191c7b8614f042ee

  • memory/2124-1-0x0000000000368000-0x0000000000369000-memory.dmp

    Filesize

    4KB

  • memory/2124-4-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2124-63-0x0000000000350000-0x00000000003B6000-memory.dmp

    Filesize

    408KB

  • memory/2124-64-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.