Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Photo-125-137.jpg.scr.zip
Size

13KB
Sample

201103-yqdbwpye9x
MD5

671ee9d73d4b0bff89c934ecf24e4703
SHA1

86f105663a68c27bccb3889c48665c0561d0d056
SHA256

9a29568fb06b15f7a2f3f89474c27141965b0cf824c4cfbd9e2a97585fd1de1e
SHA512

d7f16c6d8e4332de77c2c53ccc0e8f73708f8e78fb274a76d2c25b38471f13a15e9dff6c1096f34676de63b48b69e2af09367530a1f1e31039c4ef28b3db8c4d

Score

10^/10

Malware Config

Extracted

Path

C:\4281278655928\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?NDSIYNDS 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?NDSIYNDS

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\7129197363678\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XPQSTVXY 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?XPQSTVXY

http://helpqvrg3cc5mvb3.onion/

Targets

- Target
  
  Photo-125-137.jpg.scr
- Size
  
  13KB
- MD5
  
  16ce76113dfce837053c655053129aee
- SHA1
  
  13f726b49edf5975962979a00747dda1303accb1
- SHA256
  
  59afd802f051196913f08d88343bdeeb92ba957a4b123844a521e9c4e238d1fb
- SHA512
  
  4d284260cf3aaa0a8e460bf3da1aa18984b8c29caa9e6f81ba5246a58f26148f35b48accdff3bd458432a6398d40c74c1a3b6589c3d8eaaafc6e26d2f4d8cd75
Score

10^/10

phorphiex evasion loader persistence ransomware spyware trojan worm
- Phorphiex Worm
  Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Modifies Installed Components in the registry

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Modifies service

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2