Analysis Overview
SHA256
00926795599d6af73ade5d42b97d88a487024f3169dd625bf20d213a6a3ecba3
Threat Level: Known bad
The file 1.bin was found to be: Known bad.
Malicious Activity Summary
PhoenixStealer
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-07-17 15:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-17 15:50
Reported
2022-07-17 15:52
Platform
win7-20220715-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 856 set thread context of 201156 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
Files
memory/201156-54-0x0000000000090000-0x000000000011E000-memory.dmp
memory/201156-56-0x0000000000090000-0x000000000011E000-memory.dmp
memory/201156-63-0x00000000000E4CB9-mapping.dmp
memory/201156-64-0x0000000075321000-0x0000000075323000-memory.dmp
memory/201156-65-0x0000000000090000-0x000000000011E000-memory.dmp
memory/201156-66-0x0000000000090000-0x000000000011E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-17 15:50
Reported
2022-07-17 15:53
Platform
win10v2004-20220414-en
Max time kernel
173s
Max time network
184s
Command Line
Signatures
PhoenixStealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2324 set thread context of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2324 wrote to memory of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2324 wrote to memory of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2324 wrote to memory of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2324 wrote to memory of 202864 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| IE | 52.109.76.31:443 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| US | 8.253.208.121:80 | tcp |
Files
memory/202864-130-0x0000000000000000-mapping.dmp
memory/202864-131-0x0000000000400000-0x000000000048E000-memory.dmp
memory/202864-138-0x0000000000400000-0x000000000048E000-memory.dmp