Analysis Overview
SHA256
86f2fcc5ac4a7e5af68c2814b3fbc96c96df589fc92db49e6cf79e19c95f26ca
Threat Level: Known bad
The file Phantom.rar was found to be: Known bad.
Malicious Activity Summary
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-01 12:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-01 12:27
Reported
2021-05-01 12:28
Platform
win10v20210408
Max time kernel
22s
Max time network
23s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phantom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phantom.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Phantom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 107.22.233.72:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/740-114-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/740-116-0x000000001B590000-0x000000001B601000-memory.dmp
memory/740-117-0x000000001B8C0000-0x000000001B8C2000-memory.dmp