Overview

overview

10

Static

static

29c5bee50a...89.exe

windows7_x64

10

29c5bee50a...89.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe

  • Size

    248KB

  • MD5

    a995787df1dd00b8c0554d0429a0055b

  • SHA1

    3e62863d7144cbdb00ebd0856c05e6c55383f5b9

  • SHA256

    29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889

  • SHA512

    0c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://193.32.161.73/

Wallets

1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh

qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0xa5228127395263575a4b4f532e4f132b14599d24

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 2 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe
    "C:\Users\Admin\AppData\Local\Temp\29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\1955122345\syspxgi.exe
      C:\Windows\1955122345\syspxgi.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\1955122345\syspxgi.exe
    Filesize

    248KB

    MD5

    a995787df1dd00b8c0554d0429a0055b

    SHA1

    3e62863d7144cbdb00ebd0856c05e6c55383f5b9

    SHA256

    29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889

    SHA512

    0c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632

    Download Submit
  • \Windows\1955122345\syspxgi.exe
    Filesize

    248KB

    MD5

    a995787df1dd00b8c0554d0429a0055b

    SHA1

    3e62863d7144cbdb00ebd0856c05e6c55383f5b9

    SHA256

    29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889

    SHA512

    0c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632

    Download Submit
  • \Windows\1955122345\syspxgi.exe
    Filesize

    248KB

    MD5

    a995787df1dd00b8c0554d0429a0055b

    SHA1

    3e62863d7144cbdb00ebd0856c05e6c55383f5b9

    SHA256

    29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889

    SHA512

    0c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632

    Download Submit
  • memory/1908-54-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1908-55-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1908-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1908-57-0x0000000000270000-0x000000000027B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1908-63-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1984-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-62-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1984-64-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1984-66-0x00000000002D0000-0x00000000002DB000-memory.dmp
    Filesize

    44KB

    Download