Overview

overview

8

Static

static

Phoenix/An...rp.dll

windows10-1703-x64

1

Phoenix/Co...le.dll

windows10-1703-x64

1

Phoenix/IC...ib.dll

windows10-1703-x64

1

Phoenix/Ne...on.dll

windows10-1703-x64

1

Phoenix/Phoenix.exe

windows10-1703-x64

8

Phoenix/Phoenix.exe

windows10-1703-x64

8

Phoenix/WebDriver.dll

windows10-1703-x64

1

Phoenix/We...er.dll

windows10-1703-x64

1

Phoenix/se...anager

windows10-1703-x64

1

Phoenix/se...anager

windows10-1703-x64

1

Phoenix/se...er.exe

windows10-1703-x64

1

Analysis

  • max time kernel
    51s
  • max time network
    63s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-01-2023 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Phoenix/Phoenix.exe

  • Size

    1.4MB

  • MD5

    9d68e4b0270a866465d645770cad3e2f

  • SHA1

    48a2c50e02303ff11b14433be9cc97c8be7e2969

  • SHA256

    0d22ff318268a1419cfe15e454a8dd546d3a2dccf8259227c8edb035f341cdbc

  • SHA512

    8e5e6fb9101f3c3611db78844c651bf6b0da21699708dc0fd1682024f0acf710e0f9c129083a53a1083dc5aaab7cae60cb41feff613e215edc0cc766bd6b0541

  • SSDEEP

    24576:bOQirqO1fn0QzIYCQbOgrJ3fz4/EQn652VOs9WflYxRK:qQiP1f0QCQagrxfz4/bju9o

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
    "C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe"
    1⤵
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
      "C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe"
      2⤵
      • Executes dropped EXE
      PID:5036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
    Filesize

    414KB

    MD5

    ec4d07a1cf9fe38c0a3d38f43acadbef

    SHA1

    0d0a5d4054389ceeffb3c58a9a29f59f77598d88

    SHA256

    6bd40edf9f7a61561f1c0a061fc6715d551586c8db6655d9a5a30ce828887918

    SHA512

    d828317992968170492cac0ff3b1b34822dd8b5c891e008006da8451da7ee2712b8146cc01c15901b018046d9439fa73a4f406adf114bed4dba273a483ba7693

    Download Submit

  • memory/5036-116-0x0000000000000000-mapping.dmp

    Download