Overview

overview

10

Static

static

10

075F9A8B9A...C5.exe

windows7-x64

1

075F9A8B9A...C5.exe

windows10-2004-x64

1

145F7ABE9A...EA.exe

windows7-x64

10

145F7ABE9A...EA.exe

windows10-2004-x64

10

1A99AC759F...31.exe

windows7-x64

3

1A99AC759F...31.exe

windows10-2004-x64

3

1BE33E4291...2D.exe

windows7-x64

10

1BE33E4291...2D.exe

windows10-2004-x64

10

2188BAE387...0C.dll

windows7-x64

3

2188BAE387...0C.dll

windows10-2004-x64

3

22F524ABC9...92.exe

windows7-x64

10

22F524ABC9...92.exe

windows10-2004-x64

10

33381793BD...5E.exe

windows7-x64

1

33381793BD...5E.exe

windows10-2004-x64

1

61C0810A23...A1.exe

windows7-x64

1

61C0810A23...A1.exe

windows10-2004-x64

1

676A2A0D88...CB.exe

windows7-x64

7

676A2A0D88...CB.exe

windows10-2004-x64

7

73D29DEAC4...09.exe

windows7-x64

1

73D29DEAC4...09.exe

windows10-2004-x64

1

81EFD50EB3...29.exe

windows7-x64

7

81EFD50EB3...29.exe

windows10-2004-x64

7

8E83C0F656...07.exe

windows7-x64

10

8E83C0F656...07.exe

windows10-2004-x64

10

99CA9F3245...E2.exe

windows7-x64

5

99CA9F3245...E2.exe

windows10-2004-x64

5

B1E12D0216...06.exe

windows7-x64

10

B1E12D0216...06.exe

windows10-2004-x64

10

C6185A23C5...C8.exe

windows7-x64

10

C6185A23C5...C8.exe

windows10-2004-x64

10

CDCFEDDB0A...3E.exe

windows7-x64

10

CDCFEDDB0A...3E.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092.exe

  • Size

    75KB

  • MD5

    ed2d7b25bb360cccb4f0f6a4f8732d7a

  • SHA1

    6ffcc083956c5ac19826bdd87e12f87817ee837c

  • SHA256

    22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

  • SHA512

    6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

  • SSDEEP

    1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/twizt/

http://185.215.113.66/
Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092.exe
    "C:\Users\Admin\AppData\Local\Temp\22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\winrecsv.exe
      C:\Windows\winrecsv.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Local\Temp\119257449.exe
        C:\Users\Admin\AppData\Local\Temp\119257449.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\sylsplvc.exe
          C:\Windows\sylsplvc.exe
          4⤵
          • Executes dropped EXE
          PID:560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFLWQ602\1[1]
    Filesize

    14KB

    MD5

    a54f687e1ce7d3f6c7197d8c6085e67b

    SHA1

    976c0a9e5fe03786659522c2ac1e92733a5ee276

    SHA256

    8edf39ab6e985044018b6e1fdb2618a64fd3bcfba9b061eaa6d78a26d8111346

    SHA512

    5025a1d6f65cea7449234e3a3cff3b79b740d89daaf2e284b069f9c6894c900f1f9966c10a00aa4744111233553493c9918fe5bdf3e35fc98c25c478e0425b9e

    Download Submit

  • C:\Windows\winrecsv.exe
    Filesize

    75KB

    MD5

    ed2d7b25bb360cccb4f0f6a4f8732d7a

    SHA1

    6ffcc083956c5ac19826bdd87e12f87817ee837c

    SHA256

    22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

    SHA512

    6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\119257449.exe
    Filesize

    79KB

    MD5

    1e8a2ed2e3f35620fb6b8c2a782a57f3

    SHA1

    e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

    SHA256

    3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

    SHA512

    ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

    Download Submit