Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2023, 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    75KB

  • MD5

    770e86e91865ec221f0c83f3bb5b7ab5

  • SHA1

    e5b9d575c135af12ae1a9228642548402ab755fc

  • SHA256

    a1b4dc3dde2dcd561f0e2644074039b1c47b0688dd4f17ac7779dd2ffcf3fe2f

  • SHA512

    ad65fb7ba4e13c2a9f492fd81cf2d04a11c6ca5204ac0ba64d581bbd358e8d254d163d6896f93807695a1c8dee88cb05bc7f7bbaac78a8ec814acb6467edc341

  • SSDEEP

    1536:gh3Mz8y5D0FLcNU33CxcuxrMhenfFB3CeeeeeeeeeeeeeeeeeeeWeeeee:ZwLFLQs3vuxrPnfFB3

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\sysagrsv.exe
      C:\Windows\sysagrsv.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\1552330102.exe
        C:\Users\Admin\AppData\Local\Temp\1552330102.exe
        3⤵
        • Executes dropped EXE
        PID:1052
      • C:\Users\Admin\AppData\Local\Temp\994710111.exe
        C:\Users\Admin\AppData\Local\Temp\994710111.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1552330102.exe
    Filesize

    6KB

    MD5

    03ee7b245daeebbf2ccaa1690a9fc8fc

    SHA1

    561710d7f8c05ff5c2a3a384be5de6e023e41ac4

    SHA256

    6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

    SHA512

    f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\994710111.exe
    Filesize

    6KB

    MD5

    d7a216ccedc6dc68cce28a79f5b1e198

    SHA1

    3b8df290b7e0aae76381b0859b6c2b580e421023

    SHA256

    09d414462972f9d9ed70c7c899a30b7f493eb49494bfced414bb1da418492bf7

    SHA512

    ed4d0c6705970c3cbef470f336f3ebf77ef963835c0dc305bbb7c86d86d13fedec5ee090b1cade64d43fa2e540280f1530b830e9171476708395ec095c9b15db

    Download Submit

  • C:\Windows\sysagrsv.exe
    Filesize

    75KB

    MD5

    770e86e91865ec221f0c83f3bb5b7ab5

    SHA1

    e5b9d575c135af12ae1a9228642548402ab755fc

    SHA256

    a1b4dc3dde2dcd561f0e2644074039b1c47b0688dd4f17ac7779dd2ffcf3fe2f

    SHA512

    ad65fb7ba4e13c2a9f492fd81cf2d04a11c6ca5204ac0ba64d581bbd358e8d254d163d6896f93807695a1c8dee88cb05bc7f7bbaac78a8ec814acb6467edc341

    Download Submit

  • C:\Windows\sysagrsv.exe
    Filesize

    75KB

    MD5

    770e86e91865ec221f0c83f3bb5b7ab5

    SHA1

    e5b9d575c135af12ae1a9228642548402ab755fc

    SHA256

    a1b4dc3dde2dcd561f0e2644074039b1c47b0688dd4f17ac7779dd2ffcf3fe2f

    SHA512

    ad65fb7ba4e13c2a9f492fd81cf2d04a11c6ca5204ac0ba64d581bbd358e8d254d163d6896f93807695a1c8dee88cb05bc7f7bbaac78a8ec814acb6467edc341

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1552330102.exe
    Filesize

    6KB

    MD5

    03ee7b245daeebbf2ccaa1690a9fc8fc

    SHA1

    561710d7f8c05ff5c2a3a384be5de6e023e41ac4

    SHA256

    6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

    SHA512

    f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

    Download Submit

  • \Users\Admin\AppData\Local\Temp\994710111.exe
    Filesize

    6KB

    MD5

    d7a216ccedc6dc68cce28a79f5b1e198

    SHA1

    3b8df290b7e0aae76381b0859b6c2b580e421023

    SHA256

    09d414462972f9d9ed70c7c899a30b7f493eb49494bfced414bb1da418492bf7

    SHA512

    ed4d0c6705970c3cbef470f336f3ebf77ef963835c0dc305bbb7c86d86d13fedec5ee090b1cade64d43fa2e540280f1530b830e9171476708395ec095c9b15db

    Download Submit

  • memory/1632-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download