Overview

overview

10

Static

static

a.exe

windows7_x64

10

a.exe

windows10_x64

10

Analysis

  • max time kernel
    52s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-11-2020 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.exe

  • Size

    32KB

  • MD5

    4a94758d9b8bed45249bffffbaaa0460

  • SHA1

    fff1c09b6e710d1804716e6b6b6c055a899aa1fc

  • SHA256

    64cc82160edccda2bfd82d92b429ea0f98dcda9659a5c757b2748119847f5532

  • SHA512

    5d77477a4561723c9752a9666228df2dc2b5547eaac7b7507ea552b310bcee5b13a75a73f8e9fb7a466762e5f360bec197ce0b3a09abd7b13d5b7dfc865ff45b

Score
10/10
phorphiexevasionloaderpersistenceransomwaretrojanworm

Malware Config

Extracted

Path

C:\20172306425313\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?WNOQSTVX 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://25xb3kc6azicbbuo.onion/?WNOQSTVX

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4558 IoCs
  • Suspicious behavior: EnumeratesProcesses 814 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.exe
    "C:\Users\Admin\AppData\Local\Temp\a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\29474.jpg
      2⤵
        PID:1100
      • C:\Users\Admin\AppData\Local\Temp\10128.exe
        C:\Users\Admin\AppData\Local\Temp\10128.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\20172306425313\winsvcs.exe
          C:\20172306425313\winsvcs.exe
          3⤵
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Users\Admin\AppData\Local\Temp\3715134609.exe
            C:\Users\Admin\AppData\Local\Temp\3715134609.exe
            4⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            PID:4020

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\20172306425313\winsvcs.exe
      MD5

      1f8cef7b1f327e19ec561d1b80583d2d

      SHA1

      96795527c65711c13aef7f2cda3b5a0ff5779137

      SHA256

      c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

      SHA512

      2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

      Download Submit
    • C:\20172306425313\winsvcs.exe
      MD5

      1f8cef7b1f327e19ec561d1b80583d2d

      SHA1

      96795527c65711c13aef7f2cda3b5a0ff5779137

      SHA256

      c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

      SHA512

      2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\10128.exe
      MD5

      1f8cef7b1f327e19ec561d1b80583d2d

      SHA1

      96795527c65711c13aef7f2cda3b5a0ff5779137

      SHA256

      c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

      SHA512

      2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\10128.exe
      MD5

      1f8cef7b1f327e19ec561d1b80583d2d

      SHA1

      96795527c65711c13aef7f2cda3b5a0ff5779137

      SHA256

      c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

      SHA512

      2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\29474.jpg
      MD5

      4d23e02d17563f2cee703384cc846c8d

      SHA1

      0d76ac46acb86a861baafed1decbd30325c789e3

      SHA256

      c79765fd5e568441d33950403ebef264c0d6c948fb691eca90db4395dc98f911

      SHA512

      ff11309a7aa95616fe928fb76afdda8d7fccf23e14957f5cfbcf91a64587253bbdac6746a7d1f835d7784417fe77f9c77014e59d74cc16f08d3fe8ee64967753

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3715134609.exe
      MD5

      7d52884b375ce8b6182f1c53f0f1c496

      SHA1

      6b70e90b0dada8d93c61caa678e76ce2abcbc76b

      SHA256

      9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

      SHA512

      24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3715134609.exe
      MD5

      7d52884b375ce8b6182f1c53f0f1c496

      SHA1

      6b70e90b0dada8d93c61caa678e76ce2abcbc76b

      SHA256

      9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

      SHA512

      24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

      Download Submit
    • memory/1100-0-0x0000000000000000-mapping.dmp
      Download
    • memory/1888-1-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-4-0x0000000000000000-mapping.dmp
      Download
    • memory/4020-7-0x0000000000000000-mapping.dmp
      Download
    • memory/4020-11-0x0000000004D30000-0x0000000004DF1000-memory.dmp
      Filesize

      772KB

      Download
    • memory/4020-16-0x0000000004E30000-0x0000000004EFA000-memory.dmp
      Filesize

      808KB

      Download
    • memory/4020-24-0x0000000004E30000-0x0000000004EFA000-memory.dmp
      Filesize

      808KB

      Download