floxif | fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03a

General

Target

fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
Size

2.2MB
MD5

438a2acff4d6bd9100274cc161bbb8a0
SHA1

632db2da116a54bf62d600f390ce8d09d5c75ae0
SHA256

fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03a
SHA512

edeadfc4cb6ee532f6db478feeb5b8180ae09f8aeb194b4502d7b513bba5182de1f67d7a4ecc4a1d31d968d16cf0023a3e10a457e41133f6fce928d7eb01196e
SSDEEP

49152:hLAbwDQpJHhS+oprPjnFEfxAdxk9gOh0n8F:lA5JtcPJEfxAoh0nO

Score

10^/10

floxif backdoor discovery persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x00030000000204d5-2.dat	floxif

Downloads MZ/PE file 1 IoCs

flow	pid	Process
61	4816	Process not Found

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00030000000204d5-2.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2848	setup.exe
3512	setup.exe
1492	setup.exe

Loads dropped DLL 18 IoCs

pid	Process
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
2848	setup.exe
2848	setup.exe
3512	setup.exe
3512	setup.exe
1492	setup.exe
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
1492	setup.exe
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
2224	Process not Found
2224	Process not Found
4948	WerFault.exe
1448	WerFault.exe
3144	MicrosoftEdgeUpdate.exe
3144	MicrosoftEdgeUpdate.exe
4456	WerFault.exe
4516	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\e:	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4236-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x00030000000204d5-2.dat	upx
behavioral2/memory/2848-19-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3512-26-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1492-39-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1492-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4236-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2848-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4236-82-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3512-83-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3144-99-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3144-103-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.tmp	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.dat	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1448	2224	WerFault.exe	95
4516	3144	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3144	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
2848	setup.exe
2848	setup.exe
3512	setup.exe
3512	setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
Token: SeDebugPrivilege	2848	setup.exe
Token: SeDebugPrivilege	3512	setup.exe
Token: SeDebugPrivilege	3144	MicrosoftEdgeUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2848	4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe	89
PID 4236 wrote to memory of 2848	4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe	89
PID 4236 wrote to memory of 2848	4236	fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe	89
PID 2848 wrote to memory of 3512	2848	setup.exe	90
PID 2848 wrote to memory of 3512	2848	setup.exe	90
PID 2848 wrote to memory of 3512	2848	setup.exe	90
PID 2848 wrote to memory of 1492	2848	setup.exe	91
PID 2848 wrote to memory of 1492	2848	setup.exe	91
PID 2848 wrote to memory of 1492	2848	setup.exe	91

C:\Users\Admin\AppData\Local\Temp\fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe
"C:\Users\Admin\AppData\Local\Temp\fd095d94dab5744d80f2960a586aa1e1495e3271b120cfa86b5436c4e980a03aN.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\7zSC8002AA7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSC8002AA7\setup.exe --server-tracking-blob=YTRmNTY4ZTNmMjc4OWVjMTUyNWMzY2QxNDdhZWI2NDYyY2FhMzUxNTcwNTgyZWRlNTU3YTMzYzUzNDk5YjY5NDp7ImNvdW50cnkiOiJOTCIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9ZHVja2R1Y2tnbyZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249JTI4bm9uZSUyOSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGZHVja2R1Y2tnby5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmZGxfdG9rZW49MjAzODE5MDMiLCJ0aW1lc3RhbXAiOiIxNzM4Nzc5OTU4LjYxOTgiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBydjoxMDkuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMTUuMCIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6Im9zZSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJkdWNrZHVja2dvIn0sInV1aWQiOiI1YTc4YjEzYy0xZTljLTQ1OTEtOWQzMi04NDg5MTkwZDc3OWIifQ==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\7zSC8002AA7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC8002AA7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.71 --initial-client-data=0x354,0x358,0x35c,0x350,0x360,0x7399cf5c,0x7399cf68,0x7399cf74
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2224 -ip 2224
1⤵
- Loads dropped DLL
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 628
1⤵
- Loads dropped DLL
- Program crash
PID:1448

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDkxQzU0N0MtQjk0RC00RTY4LUI5QTQtODI4RkVDREVCNTM3fSIgdXNlcmlkPSJ7N0YzMzg5QjMtNzI2MC00RjU5LTk3OUMtOUFBNzVFNEQ5MjQ4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0E1NUY2ODYtNEIwNi00MDQyLUE5OUYtODcyMkEwODgyOTdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzA2OTQxMjUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3144 -ip 3144
1⤵
- Loads dropped DLL
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll.tmp

Filesize
2.2MB

MD5
3cccd57cfc70eadd2f25f2d3ae5f3130

SHA1
3eb312e0b43e44eec92470b57aeb54e5b8ae23bf

SHA256
23338aa352c45843e645efb443c6c5f7a3c4801faa9f4d732f3582d6b473a211

SHA512
9479a42159ed36a6469c51b2b7ec20b180a54acabc7eb1601832430721f5f508ebbf40457970c76e259af930415c35344c016988f32354fcc67027de0e9eb750

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8002AA7\setup.exe

Filesize
5.5MB

MD5
901e652c6fdffb7a6813def879db3fac

SHA1
9f01932b99a1b87d751eae9fcb761a3e831ee10a

SHA256
031cc73d23e1e31b04a4f44a5cf5b2b79b761c88ecd791d838b7430295caf8b2

SHA512
971a09b6b71913558b542f6b056db3f88cf5c29afe84bfd23581dbcad4af5e3b8484b8f0c07bf6d3b73a798bef94dad9ba1f1e79e641d7403ac5e876effad010

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2502091255068802848.dll

Filesize
5.0MB

MD5
758a51de349a436c58ed6edb73288d41

SHA1
224876913395253cde898db4ab4647acc7c64ad4

SHA256
484e1d8f8d9434540c18fbb698795a7c341c6f5aeba83d143803f0ec2b025838

SHA512
32c5a24af61644712d7a42056639198179281acccc5d6a06e836005523e052389a42a7f1441f288ae6446ab0d1f8c15e0637c54e6d7c83180c23ede2a15afe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2502091255070203512.dll.tmp

Filesize
5.1MB

MD5
5db67699e197b77dc1e0d6b23e3858fd

SHA1
9f5620c7359b63efe5913ba051244774ca6d9ffd

SHA256
eae43316d1a6c01349dbb7e8e6accf713487d0f18eff0566ec32c4d9b2df3d69

SHA512
aff30a20423b1ece716e167d7c62c63c5f03d37872c5e8e0da95857df0ef4980d90e2498477212b219d135c91aabf4d7aaff3d093fff77f78f6bd5e77c1714a2

Download Submit
memory/1492-39-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1492-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-19-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2848-78-0x0000000073570000-0x0000000073A88000-memory.dmp

Filesize
5.1MB

Download
memory/3144-103-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3144-99-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3512-26-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3512-89-0x00000000726F0000-0x0000000072C08000-memory.dmp

Filesize
5.1MB

Download
memory/3512-85-0x00000000726F0000-0x0000000072C08000-memory.dmp

Filesize
5.1MB

Download
memory/3512-83-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4236-69-0x0000000000391000-0x0000000000392000-memory.dmp

Filesize
4KB

Download
memory/4236-82-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4236-81-0x0000000000370000-0x00000000003CD000-memory.dmp

Filesize
372KB

Download
memory/4236-75-0x0000000000370000-0x00000000003CD000-memory.dmp

Filesize
372KB

Download
memory/4236-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4236-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4236-8-0x0000000000370000-0x00000000003CD000-memory.dmp

Filesize
372KB

Download
memory/4236-0-0x0000000000391000-0x0000000000392000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing