Analysis Overview
SHA256
cc145daee28e88dfb6b51e77a5d9f29152d4da1f5789b2b3a4d8fcb736543e3b
Threat Level: Likely malicious
The file 325cfaf6a3942af25d654ca13cc9f795 was found to be: Likely malicious.
Malicious Activity Summary
Detectes Phoenix Miner Payload
Deletes itself
VMProtect packed file
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 10:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 10:17
Reported
2024-01-10 08:13
Platform
win7-20231215-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Detectes Phoenix Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | C:\Windows\system32\cmd.exe |
| PID 2124 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | C:\Windows\system32\cmd.exe |
| PID 2124 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | C:\Windows\system32\cmd.exe |
| PID 2616 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 2616 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 2616 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe
"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat
C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
Network
Files
memory/2124-0-0x0000000140000000-0x0000000142A34000-memory.dmp
memory/2124-1-0x0000000077990000-0x0000000077991000-memory.dmp
memory/2124-3-0x0000000077990000-0x0000000077991000-memory.dmp
memory/2124-5-0x0000000077990000-0x0000000077991000-memory.dmp
memory/2124-7-0x0000000077990000-0x0000000077991000-memory.dmp
memory/2124-9-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp
memory/2124-11-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp
memory/2124-13-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp
memory/2124-16-0x0000000140000000-0x0000000142A34000-memory.dmp
memory/2124-15-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp
memory/2124-21-0x0000000077990000-0x0000000077991000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSEs.exe
| MD5 | 30ab5838cc15d70fd39faad81f64f712 |
| SHA1 | 1cd9ccc075da933c34acccf7a24445a4ece7dd64 |
| SHA256 | 295b1ea128454f1c9224113d7e074795f545d85a6133bb77aa10fd12f538cb2f |
| SHA512 | a7f1b313db71d009afc4444ce458dc5537dc0f544c2138d9ca210a2ac63fa1dc47f6bbb0529c66c1622e1821dfbdec89349320a42100e7ddd484df1c19458378 |
C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSE.exe
| MD5 | acc4d5da6dc251691567d6833b1b56b9 |
| SHA1 | 885b1864ab51cdddec6257087396db2e5e5204a1 |
| SHA256 | 9458075d710c58ac2ff0a14811758c8d91279b3940a71846b0ddedaa580d0042 |
| SHA512 | 81bda2d2e94ea7afdd30329145ef4b67537a639a0d657b838606106a6938f29adf7e21dbc3de5058255d2da3b1efd8e0b3ab1818cc0056a4a905e87b37379638 |
C:\Users\Admin\AppData\Local\Temp\scratch.bat
| MD5 | 8c8782f67bc6d4823d996cef5d65e5a5 |
| SHA1 | b1c7659248601845685a89c09575f033c9526f63 |
| SHA256 | 85668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817 |
| SHA512 | 011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb |
memory/2124-55-0x0000000140000000-0x0000000142A34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 10:17
Reported
2024-01-10 08:13
Platform
win10v2004-20231222-en
Max time kernel
141s
Max time network
87s
Command Line
Signatures
Detectes Phoenix Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | C:\Windows\system32\cmd.exe |
| PID 3548 wrote to memory of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe | C:\Windows\system32\cmd.exe |
| PID 2464 wrote to memory of 5036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 2464 wrote to memory of 5036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe
"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"
C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.34.232.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.90:80 | tcp | |
| N/A | 52.111.229.19:443 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| GB | 88.221.135.90:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 13.89.178.26:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3548-0-0x0000000140000000-0x0000000142A34000-memory.dmp
memory/3548-3-0x0000000140000000-0x0000000142A34000-memory.dmp
memory/3548-5-0x00007FF9CBF90000-0x00007FF9CBF91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut6D31.tmp
| MD5 | da8b9858de517c82565b4db05480e12e |
| SHA1 | 316c95ff894ec51c90f3a51f8b9cfd5d1dee0c00 |
| SHA256 | 11bc5103504955a39a4b054e3e61d812cca75b5cb05b5bb31a582e941c9a6d9d |
| SHA512 | 1302bc641bb8b8c9e2b54101f22f2035a66ee7278ac4da662117c6af42513e16f69a0c8c50151ade544ac324c6f8c9f1c923ba2cf69e1b3b4456eb336694f0c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSE.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\scratch.bat
| MD5 | 8c8782f67bc6d4823d996cef5d65e5a5 |
| SHA1 | b1c7659248601845685a89c09575f033c9526f63 |
| SHA256 | 85668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817 |
| SHA512 | 011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb |
memory/3548-36-0x0000000140000000-0x0000000142A34000-memory.dmp