floxif | 6271ec44283f7f2d31aaa916e8fa7a23a000f629dee82dffe88ad275d21f2cdb

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
Size

2.0MB
MD5

20563cb92f21094282b8a7cca2f056e6
SHA1

08d72747b4839904b4be8f0a1dd9890b2d3c66c1
SHA256

6271ec44283f7f2d31aaa916e8fa7a23a000f629dee82dffe88ad275d21f2cdb
SHA512

25c0984ca0c69130af604060909b04befb637ad70400c7f706323e1f6ee73f2c3cc1d2c296a202eee5c2fc75f5bdeb6f7220a98be9e8421d36d3c4049af63401
SSDEEP

49152:xGGpHjHVXN4bsKzaLeP9BxjEovLeGsHofdabsHofdaQ9BxjEodt:xrj19jKz1PRYfG3f4b3f4QRYMt

Score

10^/10

floxif backdoor defense_evasion discovery execution trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d00000002370f-1.dat	floxif

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d00000002370f-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
6108	Auto_eject.exe

Loads dropped DLL 1 IoCs

pid	Process
3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Auto_eject.exe
File opened (read-only)	\??\U:	Auto_eject.exe
File opened (read-only)	\??\W:	Auto_eject.exe
File opened (read-only)	\??\Z:	Auto_eject.exe
File opened (read-only)	\??\P:	Auto_eject.exe
File opened (read-only)	\??\Q:	Auto_eject.exe
File opened (read-only)	\??\T:	Auto_eject.exe
File opened (read-only)	\??\X:	Auto_eject.exe
File opened (read-only)	\??\Y:	Auto_eject.exe
File opened (read-only)	\??\A:	Auto_eject.exe
File opened (read-only)	\??\G:	Auto_eject.exe
File opened (read-only)	\??\H:	Auto_eject.exe
File opened (read-only)	\??\L:	Auto_eject.exe
File opened (read-only)	\??\N:	Auto_eject.exe
File opened (read-only)	\??\O:	Auto_eject.exe
File opened (read-only)	\??\V:	Auto_eject.exe
File opened (read-only)	\??\e:	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened (read-only)	\??\B:	Auto_eject.exe
File opened (read-only)	\??\D:	Auto_eject.exe
File opened (read-only)	\??\I:	Auto_eject.exe
File opened (read-only)	\??\J:	Auto_eject.exe
File opened (read-only)	\??\K:	Auto_eject.exe
File opened (read-only)	\??\M:	Auto_eject.exe
File opened (read-only)	\??\S:	Auto_eject.exe
File opened (read-only)	\??\E:	Auto_eject.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\usbwifi_ndis6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\usbwifi_ndis6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\usbwifi_ndis6.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbwifi_ndis6.inf_amd64_b3392520491476b0\usbwifi_ndis6.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8453.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8463.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8464.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8464.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbwifi_ndis6.inf_amd64_b3392520491476b0\usbwifi_ndis6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8453.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbwifi_ndis6.inf_amd64_b3392520491476b0\usbwifi_ndis6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{485f437b-8a38-7c49-8f4a-7d153643acda}\SET8463.tmp	DrvInst.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000002370f-1.dat	upx
behavioral1/memory/3396-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3396-211-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET837E.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8381.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8382.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\ztopmicro_info.txt	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File created	C:\Program Files (x86)\ZTOPMICRO\Temp\cab_file.cab	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET836D.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\KMDF-v1.9-Win2k-WinXP-Win2k3.exe	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET837F.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\install_log.txt	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET836A.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8380.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8383.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File created	C:\Program Files (x86)\ZTOPMICRO\Temp\setup.txt	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\uninstall.exe	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET8384.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET8397.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET83A8.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET8396.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\usbwifi_ndis6.inf	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8369.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\Auto_eject.exe	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\firmware.bin	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET8385.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\usbwifi_ndis6.sys	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET8359.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET836C.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\usbwifi_ndis6.cat	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\XP_INSTALL.bat	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\SET836B.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\ZTOPMICRO\9101DV20\SET8398.tmp	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.PNF	Auto_eject.exe
File created	C:\Windows\inf\oem1.PNF	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File created	C:\Windows\inf\oem2.PNF	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem0.PNF	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
228	sc.exe
2520	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto_eject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5060	TASKKILL.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	5060	TASKKILL.exe
Token: SeAuditPrivilege	824	svchost.exe
Token: SeSecurityPrivilege	824	svchost.exe
Token: SeLoadDriverPrivilege	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 5060	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	86
PID 3396 wrote to memory of 5060	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	86
PID 3396 wrote to memory of 5060	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	86
PID 3396 wrote to memory of 228	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	90
PID 3396 wrote to memory of 228	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	90
PID 3396 wrote to memory of 228	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	90
PID 3396 wrote to memory of 2520	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	92
PID 3396 wrote to memory of 2520	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	92
PID 3396 wrote to memory of 2520	3396	2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe	92
PID 824 wrote to memory of 3068	824	svchost.exe	97
PID 824 wrote to memory of 3068	824	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_20563cb92f21094282b8a7cca2f056e6_amadey_black-basta_floxif_hijackloader_luca-stealer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM Auto_eject.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\sc.exe
  sc stop Auto_eject >nul
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Windows\SysWOW64\sc.exe
  sc delete Auto_eject >nul
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2ed09db7-48bb-e144-afd9-512862199c42}\usbwifi_ndis6.inf" "9" "4281261ef" "0000000000000138" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\ZTOPMICRO\9101DV20"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3068

C:\Program Files (x86)\ZTOPMICRO\Auto_eject.exe
"C:\Program Files (x86)\ZTOPMICRO\Auto_eject.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\ZTOPMI~1\9101DV20\usbwifi_ndis6.cat

Filesize
11KB

MD5
5913650aeaaf87cda74b4cd4d2013a44

SHA1
a8f079b2a36dc9ecd78abf9cb5ebee21e1c3aa2e

SHA256
bb6c0c997b4f126346f54ce51ba27bd440344f853fef735f5ae86a95c494aeaf

SHA512
3da205629deb2e73795e46b45ee52a4f95becf8102df2dcee085bb0c6cc8236ec803e5b1abab448446a9e91965bb991b2249f996edb7fb1723f9692754d0c82a

Download Submit
C:\PROGRA~2\ZTOPMI~1\9101DV20\usbwifi_ndis6.sys

Filesize
415KB

MD5
8b44304924d82deb4c873c7a3e7f179c

SHA1
1f2c5c5558e28322fecd33a87cc14e54a4961d0f

SHA256
c2d5489265ae9dc203c5d25207974b10f502ce8f40b7ac03669c20aa0e0fc649

SHA512
fb0fd97bb24c1e1c2ab2267271a5df9236c0e2a416e78d7b337230abf62c64493f36d7969b1b39b630eb95184095cf7cffab54afa67bb0ac0f82d2a3fa4c3fb0

Download Submit
C:\Program Files (x86)\ZTOPMICRO\9101DV20\usbwifi_ndis6.inf

Filesize
9KB

MD5
8b8ee3ed5105417c087ea5050f916f53

SHA1
b7b4927d7ea7fa1e9b8b1c33cf94c57c41b16e61

SHA256
e51c6896a3de7cd6a1c1b6d54eac48ab09a88613e98b9b5c0ce150929ab90f33

SHA512
27c19060fda9e915134ac9cfef20ddb6e93d18989248fdea93b8fbdd9342165aa857ffe680f04dcaf6f8e38552a572d1993c41408340976daf870360ec6c45cb

Download Submit
C:\Program Files (x86)\ZTOPMICRO\Auto_eject.exe

Filesize
129KB

MD5
f73e486f8b8bb97d8af3bc5c996c0621

SHA1
5fa7604f410dfb2b13ce66bb3b85e101dd44ebe1

SHA256
55abec93eb73fb0794933f1e5bcc9038d6277ccc6c338b9574fd5c24540fd61b

SHA512
7430edd8f5adb32969810e203e1fee913087adb9e3f9b1bd5954a51500ba2355e1e71c20542f2619b693ca8bc1c995cb9c214e24fb0e0c522e238ea747c57536

Download Submit
C:\Program Files (x86)\ZTOPMICRO\install_log.txt

Filesize
736B

MD5
1a1b5cea999a6c2b8c1f239e57a49991

SHA1
10a7b3af9df9904876130f56122f39d7e6d6cb41

SHA256
7e758a289f9cf04ad3f235f8709721cb346636ef3811462c12acf90ca826cab0

SHA512
74b5fc8150bef3bddc1fd2915b86ea2fb21229b6a2d07f273b8a5d3cbe1151f1ee50f87d62657acefa24972cc1b95a67f64c297c4d386daa2f152043c7a4cae8

Download Submit
C:\Program Files (x86)\ZTOPMICRO\install_log.txt

Filesize
1KB

MD5
85e766de68709c28246db811781a3717

SHA1
4bf7d0f855978a3b33621c662bdf86cb27a9844d

SHA256
39386234bcfec825dbeefafde7f2fe792fc7a6f8554c2f8bc50cad40cf4ee3d2

SHA512
55db6451b7d8ac8852de937b59c587e701fe11a67bde0ce2131d2355344d9ea65bd99c9ae87edce003649f04dd43ee63c078161864b7a8720111643f6f1d9f33

Download Submit
C:\Program Files (x86)\ZTOPMICRO\install_log.txt

Filesize
2KB

MD5
cb9e9a5afbf721e64638dcf9f63c2bc3

SHA1
eef9c3c8928d663757500795365054ada4dce8e9

SHA256
13f74f0529c983ba55e02831e5784d25d903b06d5fc47733e89d65da2ae03200

SHA512
8d421995d698b915d6fdfd1efc1ff3e2fc5d401394f901b816ba1987a25f97c0850f6476ef27fe5eceea1e3d6a73c78d27482283829afc1601bee6cd09de1c2b

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
17KB

MD5
1bac7a60520c856973d084e4b23c96bb

SHA1
d4a2baeaea9a4c765f6184f114b0929fa3f8b738

SHA256
a834576b2208b6cc94e0127c52c597f06bc84372349576b7b457820223877861

SHA512
e51ecabf09ef0b848c3ba4c0f5e0bdba6690234742acecf6b9b4f9ae7be8d295c899fcbe31723fc76541a1cd958e48524eb1b393dfac7c3ccf6a538fc4eb40bd

Download Submit
C:\Windows\inf\oem0.PNF

Filesize
5KB

MD5
26a800b200d14a5122c2caebb7a7a448

SHA1
8655db98b327870af1df995290171c2869dc1ae9

SHA256
1bfc052cf618eb32ae7950d477ea599773885c5706881678b5af3d61e0d5d1b6

SHA512
434089bbad5c09c574c5dfe302dadc0d924bd8401ffe6fd49012d4b43f212bd5af42a98404927871f34ddd84e451893260682f18a4ffda318ea48518cd1a81f7

Download Submit
C:\Windows\inf\oem1.PNF

Filesize
5KB

MD5
4708ae84a0995e850def760ed25b4930

SHA1
f46eb7678935645175e40654acc42c829c413d31

SHA256
81e1b8a7b1d960dab52884729862182b917cfcc2769a5140472edb91e0ddef60

SHA512
076dcb729507792469bb1c86cdcb7ca5b742122e59cce81d3743ff0a77f74a164451a96fe303e195e527ddf48afacaaf00073db6dbf5f76ee20ad882d7817d2f

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
6KB

MD5
7a4c8f11d08c70fae94d2523869302b7

SHA1
b35969d9f63d9de587a47d16559763a1d7b8eca7

SHA256
62ee007914dc3747e4904dc071495be0c07fb56c0631023350f281d28ff03e5a

SHA512
aa9cda35ab902ebf0f4586389b51a23182db3e51ea909c06c8b20bd5db68ece4e90dc98526000a3f60d2cf49f91b2ddf906285f13827b8d8ed048969ee985aa7

Download Submit
memory/3396-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3396-211-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3396-209-0x0000000000CB0000-0x0000000000E9F000-memory.dmp

Filesize
1.9MB

Download