Overview

overview

10

Static

static

b65cdaaf68...9f.exe

windows7-x64

10

b65cdaaf68...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe

  • Size

    368KB

  • MD5

    4edd5e53432ee2fde30e94e4887dec54

  • SHA1

    6bb5c8be14d8da80f0f96c99fa2df3bb7124c965

  • SHA256

    b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f

  • SHA512

    28723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa

Score
10/10
phorphiexevasionloaderpersistencesuricatatrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

Wallets

13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa

qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99

XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE

DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc

0x373b9854c9e4511b920372f5495640cdc25d6832

LSermtCTLWeS683x17AtYuhNT8MpMmVmi8

t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 2 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe
    "C:\Users\Admin\AppData\Local\Temp\b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\24664298\sysutlp.exe
      C:\Windows\24664298\sysutlp.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

3
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\24664298\sysutlp.exe
    Filesize

    368KB

    MD5

    4edd5e53432ee2fde30e94e4887dec54

    SHA1

    6bb5c8be14d8da80f0f96c99fa2df3bb7124c965

    SHA256

    b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f

    SHA512

    28723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa

    Download Submit
  • C:\Windows\24664298\sysutlp.exe
    Filesize

    368KB

    MD5

    4edd5e53432ee2fde30e94e4887dec54

    SHA1

    6bb5c8be14d8da80f0f96c99fa2df3bb7124c965

    SHA256

    b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f

    SHA512

    28723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa

    Download Submit
  • memory/3840-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3840-140-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3840-141-0x00000000022B0000-0x00000000022BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3840-146-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4876-130-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/4876-131-0x00000000032C0000-0x00000000032CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4876-136-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download