floxif | 63a1c6214d0b054a3f4ba490ad61ee07f05f5fa7d5a79fffacd4b24b4e84722e

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
Size

590KB
MD5

511e7ba3b99b33a5bf30988fda35eb65
SHA1

8e7ab31d7962dcca4c67c054d00816109139357c
SHA256

63a1c6214d0b054a3f4ba490ad61ee07f05f5fa7d5a79fffacd4b24b4e84722e
SHA512

4199e749a5e7d80a14d9f0c3949357e894a796b11f4449559da0c333592c60a79aebcef86ad054707c2c59d0427d90714d84652e16ec52b67da3e0c95008a842
SSDEEP

12288:cFUNDa6FAhDaXkDOymC2+7Mdjm7sBjvrEH78n:cFOa6FwaXkqi7Mdjm7GrEH78n

Score

10^/10

floxif backdoor defense_evasion discovery persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000700000002422a-11.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000002422a-11.dat	acprotect

Executes dropped EXE 16 IoCs

pid	Process
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5780	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5052	icsys.icn.exe
4744	explorer.exe
4700	icsys.icn.exe
2644	spoolsv.exe
4856	svchost.exe
4840	spoolsv.exe
4044	explorer.exe
5812	svchost.exe
3356	explorer.exe
2184	svchost.exe
5248	svchost.exe
5308	explorer.exe
4824	explorer.exe
3416	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5780	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002422a-11.dat	upx
behavioral1/memory/5568-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5780-29-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5780-48-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5568-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4744	explorer.exe
4856	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
Token: SeDebugPrivilege	5780	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
5052	icsys.icn.exe
5052	icsys.icn.exe
5780	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
4744	explorer.exe
5780	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
4744	explorer.exe
4700	icsys.icn.exe
4700	icsys.icn.exe
2644	spoolsv.exe
2644	spoolsv.exe
4856	svchost.exe
4856	svchost.exe
4840	spoolsv.exe
4840	spoolsv.exe
4044	explorer.exe
5812	svchost.exe
4044	explorer.exe
5812	svchost.exe
3356	explorer.exe
2184	svchost.exe
3356	explorer.exe
2184	svchost.exe
5248	svchost.exe
5248	svchost.exe
5308	explorer.exe
5308	explorer.exe
3416	svchost.exe
3416	svchost.exe
4824	explorer.exe
4824	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 5568	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	85
PID 232 wrote to memory of 5568	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	85
PID 232 wrote to memory of 5568	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	85
PID 5568 wrote to memory of 5780	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	88
PID 5568 wrote to memory of 5780	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	88
PID 5568 wrote to memory of 5780	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	88
PID 232 wrote to memory of 5052	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	89
PID 232 wrote to memory of 5052	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	89
PID 232 wrote to memory of 5052	232	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	89
PID 5052 wrote to memory of 4744	5052	icsys.icn.exe	91
PID 5052 wrote to memory of 4744	5052	icsys.icn.exe	91
PID 5052 wrote to memory of 4744	5052	icsys.icn.exe	91
PID 5568 wrote to memory of 4700	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	92
PID 5568 wrote to memory of 4700	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	92
PID 5568 wrote to memory of 4700	5568	2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe	92
PID 4744 wrote to memory of 2644	4744	explorer.exe	93
PID 4744 wrote to memory of 2644	4744	explorer.exe	93
PID 4744 wrote to memory of 2644	4744	explorer.exe	93
PID 2644 wrote to memory of 4856	2644	spoolsv.exe	94
PID 2644 wrote to memory of 4856	2644	spoolsv.exe	94
PID 2644 wrote to memory of 4856	2644	spoolsv.exe	94
PID 4856 wrote to memory of 4840	4856	svchost.exe	95
PID 4856 wrote to memory of 4840	4856	svchost.exe	95
PID 4856 wrote to memory of 4840	4856	svchost.exe	95
PID 4268 wrote to memory of 4044	4268	cmd.exe	104
PID 4268 wrote to memory of 4044	4268	cmd.exe	104
PID 4268 wrote to memory of 4044	4268	cmd.exe	104
PID 4992 wrote to memory of 5812	4992	cmd.exe	105
PID 4992 wrote to memory of 5812	4992	cmd.exe	105
PID 4992 wrote to memory of 5812	4992	cmd.exe	105
PID 4568 wrote to memory of 3356	4568	cmd.exe	106
PID 4568 wrote to memory of 3356	4568	cmd.exe	106
PID 4568 wrote to memory of 3356	4568	cmd.exe	106
PID 1096 wrote to memory of 2184	1096	cmd.exe	107
PID 1096 wrote to memory of 2184	1096	cmd.exe	107
PID 1096 wrote to memory of 2184	1096	cmd.exe	107
PID 3540 wrote to memory of 5248	3540	cmd.exe	124
PID 3540 wrote to memory of 5248	3540	cmd.exe	124
PID 3540 wrote to memory of 5248	3540	cmd.exe	124
PID 5660 wrote to memory of 5308	5660	cmd.exe	125
PID 5660 wrote to memory of 5308	5660	cmd.exe	125
PID 5660 wrote to memory of 5308	5660	cmd.exe	125
PID 4788 wrote to memory of 4824	4788	cmd.exe	134
PID 4788 wrote to memory of 4824	4788	cmd.exe	134
PID 4788 wrote to memory of 4824	4788	cmd.exe	134
PID 4008 wrote to memory of 3416	4008	cmd.exe	135
PID 4008 wrote to memory of 3416	4008	cmd.exe	135
PID 4008 wrote to memory of 3416	4008	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232
- \??\c:\users\admin\appdata\local\temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
  c:\users\admin\appdata\local\temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5568
- - \??\c:\users\admin\appdata\local\temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
    c:\users\admin\appdata\local\temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5780
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4700
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5052
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2644
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:5660
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4788
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-04-03_511e7ba3b99b33a5bf30988fda35eb65_black-basta_cobalt-strike_floxif_luca-stealer_swisyn.exe

Filesize
454KB

MD5
f21483959040409ca50c09395178d42c

SHA1
d43d5e0f497b0a99f83a0616f1426ae7725e229b

SHA256
e73e70c6e5ecafdd43384ce6f2caaac2b4b01d2c1934124a3153f1ef1a662b44

SHA512
5590f4da3ba20e5c72d35c13d68974c62db3232a08a2aae0f2ed307c2c73cce7f320eb066dfa889145bf6e979d1b26aae8f04d49a9df3c2ebdb1d8541c3e81c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\6012F5815C0.tmp

Filesize
378KB

MD5
505d4ac9f6aeabcf2541f397fe8064c9

SHA1
1b030d3e59a5efded4a2b3ee9dfb76bfa3a049b7

SHA256
9975d797441037f8a902c756e43ceb5317a22ed950525976d80e77e2b5b69c0c

SHA512
1ddfeaf3264238fe7005292588381fa233b7406a9c25b299f73caa6e37f0640b9e4acb66fbbb4c9d3d62a974cd1bc7b78deb64f6afc7bcbd7b4a9d94761b895c

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
3971e2f43c6cb9ee11ab773e1577a313

SHA1
a4c197cbc8ff502efdb3ee9fe6b2710d7a3d236e

SHA256
4273d79b1413e81532ea6f1afe85c06cf8470771fe069c5f7b6f3df6776eebcd

SHA512
8a2febb040d85c30a240aa1a20a6c61254c83cc3ebf65ec4654f89f1e92d35608d7a6cfa401695716aebe0a67e45ad2baa1a42ca9df743dfa4c41da56343e001

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
36a79c96a9688684908613b096668897

SHA1
ef66caf632892e8f92a903a15f7d545fc98797bf

SHA256
d05eddfa333dca7a3e19dc6f20ab56e9785766ae5e18094cb4cb17934720a30b

SHA512
5c2ccc1185cde5d354872961db976a3fb14ae3ab56c95065ab37cb2905242534bdd6ba91011fa43dc92005c58169ec213bca7f60d7ae53ef632d7c9eabf8f02b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
c358764de624bc47cc0b1c93b432ecfc

SHA1
c0c2e536be9c5e7a2d6ebc8941c766a0a9e6eb69

SHA256
3d35333d4c2f93cee9844819b7fd48018e173061bd8ee72a7fd6a56cf0e52288

SHA512
48ae36e405d3c49b6a7636537f62069d4c220fda0f4f41646d785ec25293b01836e957878dceef76eb923311fbdbe3070e7e189a3c11046fada6a8a33060fb34

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
cc1f32ed24a8d5c9e6f2830bd2ad8a7e

SHA1
3a3f19352fd95058f02518fd7a061a2b2a65e42a

SHA256
8af1dcd0281087ec618c9897a426ab2e4035e0fe37b36e584b4670c8da21d8ce

SHA512
d6ab198cedd5308b4ffc2146b7dd510c19638c34ab5bf51980c11e0dc874452006c498a964a722927171bcfa6b2febcfdcc1acd65e3677f022b22ce9468e78aa

Download Submit
memory/232-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/232-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4744-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4840-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4856-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5248-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5308-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5568-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5568-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5568-19-0x000000000040F000-0x0000000000412000-memory.dmp

Filesize
12KB

Download
memory/5568-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5568-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5780-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5780-48-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5780-29-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5812-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download