Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2022 09:38

General

  • Target

    tmp.exe

  • Size

    75KB

  • MD5

    ed2d7b25bb360cccb4f0f6a4f8732d7a

  • SHA1

    6ffcc083956c5ac19826bdd87e12f87817ee837c

  • SHA256

    22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

  • SHA512

    6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

  • SSDEEP

    1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/twizt/

Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\winrecsv.exe
      C:\Windows\winrecsv.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Local\Temp\85692162.exe
        C:\Users\Admin\AppData\Local\Temp\85692162.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:260
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1388
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f
            5⤵
              PID:3652
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /f /tn "User Configuration"
              5⤵
                PID:3572
          • C:\Users\Admin\AppData\Local\Temp\625122879.exe
            C:\Users\Admin\AppData\Local\Temp\625122879.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4128
            • C:\Users\Admin\AppData\Local\Temp\1125717888.exe
              C:\Users\Admin\AppData\Local\Temp\1125717888.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3300
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1476
                • C:\Windows\system32\schtasks.exe
                  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
                  6⤵
                    PID:4356
        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          1⤵
          • Executes dropped EXE
          PID:2344

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          00e7da020005370a518c26d5deb40691

          SHA1

          389b34fdb01997f1de74a5a2be0ff656280c0432

          SHA256

          a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

          SHA512

          9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          d0f3eff52698c0eab8a2c8bd1d9f7c18

          SHA1

          4292ae775443749c6c2281dac800d86b4bdde07e

          SHA256

          b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6

          SHA512

          642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd

        • C:\Users\Admin\AppData\Local\Temp\1125717888.exe

          Filesize

          2.2MB

          MD5

          f6fd2a4333007f65beef7609077ec14d

          SHA1

          3740133e77fae5ee1c0ed1cb0493af5557e3562a

          SHA256

          b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

          SHA512

          43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

        • C:\Users\Admin\AppData\Local\Temp\1125717888.exe

          Filesize

          2.2MB

          MD5

          f6fd2a4333007f65beef7609077ec14d

          SHA1

          3740133e77fae5ee1c0ed1cb0493af5557e3562a

          SHA256

          b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

          SHA512

          43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

        • C:\Users\Admin\AppData\Local\Temp\625122879.exe

          Filesize

          6KB

          MD5

          f99a026691957a1490c606890021a4db

          SHA1

          4eca65b16ce9b8284f3fc54344f8ae15b406b4e1

          SHA256

          db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd

          SHA512

          e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

        • C:\Users\Admin\AppData\Local\Temp\625122879.exe

          Filesize

          6KB

          MD5

          f99a026691957a1490c606890021a4db

          SHA1

          4eca65b16ce9b8284f3fc54344f8ae15b406b4e1

          SHA256

          db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd

          SHA512

          e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f

        • C:\Users\Admin\AppData\Local\Temp\85692162.exe

          Filesize

          8KB

          MD5

          66bbb99fb92a3688d31a899992f73cdf

          SHA1

          836fad08d9de8ea28c35d1885496af8e1284a6e7

          SHA256

          1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6

          SHA512

          6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

        • C:\Users\Admin\AppData\Local\Temp\85692162.exe

          Filesize

          8KB

          MD5

          66bbb99fb92a3688d31a899992f73cdf

          SHA1

          836fad08d9de8ea28c35d1885496af8e1284a6e7

          SHA256

          1d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6

          SHA512

          6a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36

        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

          Filesize

          2.2MB

          MD5

          d081ded7aeebd495ea24b5531168f315

          SHA1

          21db4bae653ece87474e7121a8b60d9fd08208c9

          SHA256

          6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a

          SHA512

          45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

        • C:\Windows\winrecsv.exe

          Filesize

          75KB

          MD5

          ed2d7b25bb360cccb4f0f6a4f8732d7a

          SHA1

          6ffcc083956c5ac19826bdd87e12f87817ee837c

          SHA256

          22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

          SHA512

          6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

        • C:\Windows\winrecsv.exe

          Filesize

          75KB

          MD5

          ed2d7b25bb360cccb4f0f6a4f8732d7a

          SHA1

          6ffcc083956c5ac19826bdd87e12f87817ee837c

          SHA256

          22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

          SHA512

          6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

        • memory/260-138-0x00000000007D0000-0x00000000007D6000-memory.dmp

          Filesize

          24KB

        • memory/260-143-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp

          Filesize

          10.8MB

        • memory/260-144-0x00007FFECE810000-0x00007FFECF2D1000-memory.dmp

          Filesize

          10.8MB

        • memory/260-135-0x0000000000000000-mapping.dmp

        • memory/896-132-0x0000000000000000-mapping.dmp

        • memory/1388-139-0x0000000000000000-mapping.dmp

        • memory/1476-155-0x0000000000000000-mapping.dmp

        • memory/1476-161-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

          Filesize

          10.8MB

        • memory/1476-159-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

          Filesize

          10.8MB

        • memory/2544-140-0x0000000000000000-mapping.dmp

        • memory/2724-148-0x0000000000000000-mapping.dmp

        • memory/3300-152-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3300-153-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

          Filesize

          10.8MB

        • memory/3300-151-0x000001C715610000-0x000001C715632000-memory.dmp

          Filesize

          136KB

        • memory/3300-150-0x0000000000000000-mapping.dmp

        • memory/3572-142-0x0000000000000000-mapping.dmp

        • memory/3652-141-0x0000000000000000-mapping.dmp

        • memory/4128-145-0x0000000000000000-mapping.dmp

        • memory/4356-158-0x0000000000000000-mapping.dmp