Analysis Overview
SHA256
3510aec49416b1e42f8958c4dbd7cf3b8aaa124b2a3d39cfe4829f943f67ac64
Threat Level: Known bad
The file 3048_1647779912_8762.exe was found to be: Known bad.
Malicious Activity Summary
PhoenixStealer
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-07-07 07:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 07:45
Reported
2022-07-07 07:48
Platform
win7-20220414-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1100 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe
"C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
memory/1100-54-0x0000000000C70000-0x0000000000D04000-memory.dmp
memory/1100-55-0x00000000765C1000-0x00000000765C3000-memory.dmp
memory/1100-56-0x0000000000B30000-0x0000000000BC2000-memory.dmp
memory/1952-57-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-58-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-60-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-62-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-64-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-65-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-67-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-68-0x0000000000453B8C-mapping.dmp
memory/1952-71-0x0000000000400000-0x000000000048D000-memory.dmp
memory/1952-73-0x0000000000400000-0x000000000048D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 07:45
Reported
2022-07-07 07:48
Platform
win10v2004-20220414-en
Max time kernel
95s
Max time network
160s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4948 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe
"C:\Users\Admin\AppData\Local\Temp\3048_1647779912_8762.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
memory/4948-130-0x0000000000320000-0x00000000003B4000-memory.dmp
memory/4948-131-0x00000000053A0000-0x0000000005944000-memory.dmp
memory/4948-132-0x0000000004D40000-0x0000000004DD2000-memory.dmp
memory/4948-133-0x0000000004F00000-0x0000000004F0A000-memory.dmp
memory/4948-134-0x0000000004FE0000-0x0000000005056000-memory.dmp
memory/4948-135-0x00000000050F0000-0x000000000510E000-memory.dmp
memory/2660-136-0x0000000000000000-mapping.dmp
memory/2660-137-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2660-138-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2660-139-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2660-141-0x0000000000400000-0x000000000048D000-memory.dmp