Analysis

  • max time kernel
    237s
  • max time network
    239s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2022 15:40

General

  • Target

    svcsc.exe

  • Size

    1.7MB

  • MD5

    5f9806abe45fb86779adc3813f97058a

  • SHA1

    706c9eef39ed093b20af1554c934858993b6b57a

  • SHA256

    f9d595fb503dd18335c9ee9bad24e3760c2456d7df20c49c0bbba719c84882e2

  • SHA512

    e28da798cb9406bfd636074896d5f61f6d6dc972c241d0afb701ac527563e348257d171c072af09a58ec3d390e1cc7dc2660ecf744fc0d28d76ac666c754cd21

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.84/twizt/

Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\svcsc.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\7A6E.exe
      "C:\Users\Admin\AppData\Local\Temp\7A6E.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\wklopsvcs.exe
        C:\Windows\wklopsvcs.exe
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Users\Admin\AppData\Local\Temp\416722873.exe
          C:\Users\Admin\AppData\Local\Temp\416722873.exe
          4⤵
          • Executes dropped EXE
          PID:1344
        • C:\Users\Admin\AppData\Local\Temp\1234824544.exe
          C:\Users\Admin\AppData\Local\Temp\1234824544.exe
          4⤵
          • Executes dropped EXE
          PID:1532
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1408
      • C:\Users\Admin\AppData\Roaming\RAC\mls.exe
        "C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 124
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:1724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1234824544.exe

      Filesize

      6KB

      MD5

      a475e43527d7dc7d6f2d23bad64fcc99

      SHA1

      793a7625c0106d6cd79d060b4eec94e58530833e

      SHA256

      f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb

      SHA512

      4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

    • C:\Users\Admin\AppData\Local\Temp\416722873.exe

      Filesize

      9KB

      MD5

      c8a69840ffff790ea975bb0cf55f7f4d

      SHA1

      dd1c74f0eb2fc813d16c96669e22fb657b67c4b3

      SHA256

      e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc

      SHA512

      df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

    • C:\Users\Admin\AppData\Local\Temp\7A6E.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • C:\Users\Admin\AppData\Local\Temp\7A6E.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • C:\Users\Admin\AppData\Local\Temp\svcsc.xls

      Filesize

      172KB

      MD5

      c0a83d190005139498523c1e5cf2ab97

      SHA1

      f503561162f978cd2f6c93545e3c2183cffed4e3

      SHA256

      f5e4987ef8efe10a55440451365a57b41b8c736f4403ee1ce792680f5b94bf21

      SHA512

      bd0930b0b76ea10ff8082d3a5e81ab851e683253caaee5ae9f7b76de0964f15e5e67d0262627dcaf7833a64b87e22e9c0bb8b102cc84ce7c5b33894663b0d3e5

    • C:\Users\Admin\AppData\Roaming\RAC\mls.exe

      Filesize

      1.6MB

      MD5

      6740d8a7b536b412240ea4a8b4c790eb

      SHA1

      6b9a10f5c24551e93e658c1d917828491f2069e2

      SHA256

      d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3

      SHA512

      e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

    • C:\Windows\wklopsvcs.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • C:\Windows\wklopsvcs.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • \Users\Admin\AppData\Local\Temp\1234824544.exe

      Filesize

      6KB

      MD5

      a475e43527d7dc7d6f2d23bad64fcc99

      SHA1

      793a7625c0106d6cd79d060b4eec94e58530833e

      SHA256

      f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb

      SHA512

      4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

    • \Users\Admin\AppData\Local\Temp\416722873.exe

      Filesize

      9KB

      MD5

      c8a69840ffff790ea975bb0cf55f7f4d

      SHA1

      dd1c74f0eb2fc813d16c96669e22fb657b67c4b3

      SHA256

      e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc

      SHA512

      df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

    • \Users\Admin\AppData\Local\Temp\7A6E.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • \Users\Admin\AppData\Local\Temp\7A6E.exe

      Filesize

      75KB

      MD5

      209baf40779b80d5e443c3dbbd656bfb

      SHA1

      b64fa8dded031d5dacac519a2035cefcd05e6503

      SHA256

      c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

      SHA512

      9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

    • \Users\Admin\AppData\Roaming\RAC\mls.exe

      Filesize

      1.6MB

      MD5

      6740d8a7b536b412240ea4a8b4c790eb

      SHA1

      6b9a10f5c24551e93e658c1d917828491f2069e2

      SHA256

      d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3

      SHA512

      e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

    • \Users\Admin\AppData\Roaming\RAC\mls.exe

      Filesize

      1.6MB

      MD5

      6740d8a7b536b412240ea4a8b4c790eb

      SHA1

      6b9a10f5c24551e93e658c1d917828491f2069e2

      SHA256

      d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3

      SHA512

      e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

    • \Users\Admin\AppData\Roaming\RAC\mls.exe

      Filesize

      1.6MB

      MD5

      6740d8a7b536b412240ea4a8b4c790eb

      SHA1

      6b9a10f5c24551e93e658c1d917828491f2069e2

      SHA256

      d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3

      SHA512

      e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

    • \Users\Admin\AppData\Roaming\RAC\mls.exe

      Filesize

      1.6MB

      MD5

      6740d8a7b536b412240ea4a8b4c790eb

      SHA1

      6b9a10f5c24551e93e658c1d917828491f2069e2

      SHA256

      d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3

      SHA512

      e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

    • memory/268-62-0x000000006FD51000-0x000000006FD53000-memory.dmp

      Filesize

      8KB

    • memory/268-82-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

    • memory/268-60-0x0000000000000000-mapping.dmp

    • memory/268-61-0x000000002F401000-0x000000002F404000-memory.dmp

      Filesize

      12KB

    • memory/268-68-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

    • memory/268-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1284-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

      Filesize

      8KB

    • memory/1344-84-0x0000000000000000-mapping.dmp

    • memory/1408-71-0x0000000000000000-mapping.dmp

    • memory/1408-72-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

      Filesize

      8KB

    • memory/1532-87-0x0000000000000000-mapping.dmp

    • memory/1536-74-0x0000000000000000-mapping.dmp

    • memory/1640-64-0x0000000000000000-mapping.dmp

    • memory/1716-57-0x0000000000000000-mapping.dmp

    • memory/1724-77-0x0000000000000000-mapping.dmp