Overview

overview

10

Static

static

10

xzxz/DriveMgr.exe

windows10-1703-x64

10

xzxz/New folder.exe

windows10-1703-x64

7

xzxz/VolDriver.exe

windows10-1703-x64

10

xzxz/a.lnk

windows10-1703-x64

3

xzxz/a2.lnk

windows10-1703-x64

3

xzxz/winoeev.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/04/2023, 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xzxz/DriveMgr.exe

  • Size

    181KB

  • MD5

    21b478895429ea7a534794822dce5950

  • SHA1

    9b6699769eab7a1e67b72a01585cad64445b69a6

  • SHA256

    957511b6e51c6d8da71014bb9ac88ef7e24fb63e1345aa113c573a4a69f70018

  • SHA512

    c6c360ee4c2cfa3dcb54935c252b369ee44f20c1da941fd98462b869814803457b721901954305064b750b82bb8ece9217a98e8163dcbdcbf6b2517fa9c9b879

  • SSDEEP

    3072:REbJSwzmlbt/d6WruEPJZDTS7MJCAc2BEUzWndAatTIgFpg2lQBV+UdE+rECWp7f:WbJSwIcWruEhZDTS7MJCAc2BEUzWnd7j

Score
10/10
phorphiexevasionloaderpersistencetrojanupxworm

Malware Config

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 4 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xzxz\DriveMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\xzxz\DriveMgr.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\107661983819572\lsass.exe
      C:\107661983819572\lsass.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\107661983819572\lsass.exe
    Filesize

    105KB

    MD5

    a5b52c5e0c977b7e03caa61a19bdf22c

    SHA1

    c51156c6540cdc73daf59cf618b3cfc92c3c4c63

    SHA256

    057f8f82fb2bae7638438cdd9ae6099f06039d0af97564b7bad9486066b78505

    SHA512

    2bb1ced0a9f59fac90404435c2b7994bce4903bec2092b0078f8f89392ac824bf8f04ca5d456617bc874df3772243301965a7e53b7b7059505815c31e82fd69d

    Download Submit

  • C:\107661983819572\lsass.exe
    Filesize

    105KB

    MD5

    a5b52c5e0c977b7e03caa61a19bdf22c

    SHA1

    c51156c6540cdc73daf59cf618b3cfc92c3c4c63

    SHA256

    057f8f82fb2bae7638438cdd9ae6099f06039d0af97564b7bad9486066b78505

    SHA512

    2bb1ced0a9f59fac90404435c2b7994bce4903bec2092b0078f8f89392ac824bf8f04ca5d456617bc874df3772243301965a7e53b7b7059505815c31e82fd69d

    Download Submit

  • C:\Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A1D26E2\B59945C1134.tmp
    Filesize

    105KB

    MD5

    a5b52c5e0c977b7e03caa61a19bdf22c

    SHA1

    c51156c6540cdc73daf59cf618b3cfc92c3c4c63

    SHA256

    057f8f82fb2bae7638438cdd9ae6099f06039d0af97564b7bad9486066b78505

    SHA512

    2bb1ced0a9f59fac90404435c2b7994bce4903bec2092b0078f8f89392ac824bf8f04ca5d456617bc874df3772243301965a7e53b7b7059505815c31e82fd69d

    Download Submit

  • \Program Files\Common Files\System\symsrv.dll
    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

    Download Submit

  • memory/4404-125-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4404-138-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4404-139-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4404-145-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download