Analysis Overview
SHA256
7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
Threat Level: Known bad
The file q.exe was found to be: Known bad.
Malicious Activity Summary
PhoenixStealer
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-07-07 07:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 07:35
Reported
2022-07-07 07:37
Platform
win7-20220414-en
Max time kernel
39s
Max time network
42s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1416 set thread context of 213252 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\q.exe
"C:\Users\Admin\AppData\Local\Temp\q.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
Files
memory/213252-54-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213252-56-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213252-63-0x0000000000454CB9-mapping.dmp
memory/213252-64-0x00000000764C1000-0x00000000764C3000-memory.dmp
memory/1416-65-0x0000000000400000-0x00000000005C5000-memory.dmp
memory/213252-66-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213252-67-0x0000000000400000-0x000000000048E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 07:35
Reported
2022-07-07 07:37
Platform
win10v2004-20220414-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2384 wrote to memory of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2384 wrote to memory of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2384 wrote to memory of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2384 wrote to memory of 215196 | N/A | C:\Users\Admin\AppData\Local\Temp\q.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\q.exe
"C:\Users\Admin\AppData\Local\Temp\q.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 8.248.1.254:80 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp |
Files
memory/215196-130-0x0000000000000000-mapping.dmp
memory/215196-131-0x0000000000400000-0x000000000048E000-memory.dmp
memory/215196-138-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2384-139-0x0000000000400000-0x00000000005C5000-memory.dmp