Overview

overview

10

Static

static

9

3cc33ce585...89.exe

windows7-x64

10

3cc33ce585...89.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9ed9ad87a1564fbb5e1b652b3e7148c8.zip

  • Size

    8.2MB

  • Sample

    220912-yvhddshhan

  • MD5

    811261c11c9e661ca2f50e60b27e3ee9

  • SHA1

    b90a37af5049d49b10035c735144faba1fe83351

  • SHA256

    5b438029e5a3e3843b22f8f49fa1ccac728eeced3f923426be8b22c35b27b6f6

  • SHA512

    97f088a084116ce0483f285500e80d7e10229bd7f4a77a0f376362a94d7a415001f14c05bc4cfc99af3380217bc68a9c894e773ea37977231403b3850264227e

  • SSDEEP

    196608:14VOXy9uIVXwYaqgN2CCHOxEXqRE4BAPVRQnU+C2mFy:1iluwXwYKNnUOuXqG2APVun53

Score
10/10
minerpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/bild.exe
exe.dropper

https://raw.githubusercontent.com/jkh36/d/main/PhoenixMiner.exe

Targets

    • Target

      3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89.exe

    • Size

      8.3MB

    • MD5

      9ed9ad87a1564fbb5e1b652b3e7148c8

    • SHA1

      0c001b7e9615cbc22eac2a324d8deb7eaf069ff7

    • SHA256

      3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89

    • SHA512

      e49e403a73ff1d10111d23cc70ae95ffae63abbc4a52cfc52c447ee9f15e76ab44f07d0f41e3b3e63a73a07e7748b8ac7ed8c997f1051a10ca5fad1dace4183a

    • SSDEEP

      196608:8eOr3LD6MZ+NL0j/YjNV4p9eLDZPhujwk8kAb+RWvqWd6qmgNSN:8TbnQYiN2eRPhSwhk8s46C4N

    Score
    10/10
    minerpersistence

    • Detectes Phoenix Miner Payload

      miner

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks