| File name: | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif |
| Full analysis: | https://app.any.run/tasks/8785d4e9-e05b-473a-921f-bd737c01c343 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | March 24, 2025, 16:52:03 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | FE3E50CFC97C023E8FE9C1F3130C972C |
| SHA1: | AF52798EDAC9C693ECC1C3E7FEEA69748C13EE6D |
| SHA256: | 5070E9FF5E0E4A22899293A4E26CDF7244AD03E65975992FD998640C8E88842D |
| SSDEEP: | 98304:iJquOYGsg9aFdF2Nv5SQ6i0A5vxltX2aiE5Z:TN |
MALICIOUS
FLOXIF mutex has been found
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Executing a file with an untrusted certificate
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Connects to the CnC server
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
SUSPICIOUS
Process drops legitimate windows executable
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Reads security settings of Internet Explorer
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Executable content was dropped or overwritten
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Contacting a server suspected of hosting an CnC
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
INFO
Failed to create an executable file in Windows directory
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
The sample compiled with english language support
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Checks supported languages
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Reads the computer name
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Checks proxy server information
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
- slui.exe (PID: 5304)
Create files in a temporary directory
- 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe (PID: 7812)
Reads the software policy settings
- slui.exe (PID: 5304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:04:09 07:25:45+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 12 |
| CodeSize: | 1402368 |
| InitializedDataSize: | 563712 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1263ac |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 35.0.61.54677 |
| ProductVersionNumber: | 35.0.61.54677 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | USBSetupLauncher.exe |
| OriginalFileName: | USBSetupLauncher.exe |
| InternalName: | USBSetupLauncher |
| CompanyName: | Hewlett-Packard Development Company, LP |
| LegalCopyright: | Copyright (C) Hewlett-Packard Co. 2014 |
| LegalTrademarks: | - |
| FileDescription: | USBSetupLauncher.exe |
| FileVersion: | 35.0.61.54677 |
| ProductName: | HP Digital Imaging |
| ProductVersion: | 035.000.061.54677 |
| ProductFamily: | HP Digital Imaging |
| ProductFileFlags: | 1 |
Total processes
125
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5304 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7812 | "C:\Users\admin\Desktop\2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe" | C:\Users\admin\Desktop\2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | explorer.exe | ||||||||||||
User: admin Company: Hewlett-Packard Development Company, LP Integrity Level: MEDIUM Description: USBSetupLauncher.exe Exit code: 1223 Version: 35.0.61.54677 Modules
| |||||||||||||||
Total events
3 861
Read events
3 858
Write events
3
Delete events
0
Modification events
| (PID) Process: | (7812) 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7812) 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7812) 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7812 | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | C:\Users\admin\AppData\Local\Temp\conres.dll.000 | text | |
MD5:1130C911BF5DB4B8F7CF9B6F4B457623 | SHA256:EBA08CC8182F379392A97F542B350EA0DBBE5E4009472F35AF20E3D857EAFDF1 | |||
| 7812 | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | C:\Users\admin\AppData\Local\Temp\conres.dll | executable | |
MD5:7574CF2C64F35161AB1292E2F532AABF | SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7812 | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | GET | 403 | 173.255.194.134:80 | http://www.aieov.com/logo.gif | unknown | — | — | malicious |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
7812 | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | 173.255.194.134:80 | www.aieov.com | Linode, LLC | US | malicious |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7584 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5304 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
5isohu.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.aieov.com |
| malicious |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7812 | 2025-03-24_fe3e50cfc97c023e8fe9c1f3130c972c_bkransomware_floxif.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Possible Floxif CnC Communication |