Overview

overview

10

Static

static

10

075F9A8B9A...C5.exe

windows7-x64

1

075F9A8B9A...C5.exe

windows10-2004-x64

1

145F7ABE9A...EA.exe

windows7-x64

10

145F7ABE9A...EA.exe

windows10-2004-x64

10

1A99AC759F...31.exe

windows7-x64

3

1A99AC759F...31.exe

windows10-2004-x64

3

1BE33E4291...2D.exe

windows7-x64

10

1BE33E4291...2D.exe

windows10-2004-x64

10

2188BAE387...0C.dll

windows7-x64

3

2188BAE387...0C.dll

windows10-2004-x64

3

22F524ABC9...92.exe

windows7-x64

10

22F524ABC9...92.exe

windows10-2004-x64

10

33381793BD...5E.exe

windows7-x64

1

33381793BD...5E.exe

windows10-2004-x64

1

61C0810A23...A1.exe

windows7-x64

1

61C0810A23...A1.exe

windows10-2004-x64

1

676A2A0D88...CB.exe

windows7-x64

7

676A2A0D88...CB.exe

windows10-2004-x64

7

73D29DEAC4...09.exe

windows7-x64

1

73D29DEAC4...09.exe

windows10-2004-x64

1

81EFD50EB3...29.exe

windows7-x64

7

81EFD50EB3...29.exe

windows10-2004-x64

7

8E83C0F656...07.exe

windows7-x64

10

8E83C0F656...07.exe

windows10-2004-x64

10

99CA9F3245...E2.exe

windows7-x64

5

99CA9F3245...E2.exe

windows10-2004-x64

5

B1E12D0216...06.exe

windows7-x64

10

B1E12D0216...06.exe

windows10-2004-x64

10

C6185A23C5...C8.exe

windows7-x64

10

C6185A23C5...C8.exe

windows10-2004-x64

10

CDCFEDDB0A...3E.exe

windows7-x64

10

CDCFEDDB0A...3E.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CDCFEDDB0ACA42E65E6A4822C1F23DF7C4AE92775EBCC0B45D4160B732B0983E.exe

  • Size

    79KB

  • MD5

    c41fe8e266c0ee1ff4d563b158f285d4

  • SHA1

    627107a8b664043e563c10ee1566a49ad3823483

  • SHA256

    cdcfeddb0aca42e65e6a4822c1f23df7c4ae92775ebcc0b45d4160b732b0983e

  • SHA512

    ed11b61188ebc99655d5c0cbdc84a58ea3ea1f6f6c2f440de245e8a453ccf45b07d1ffc3d4e2f55eb0f2bc0657069019d93beca86b31debaf8dabfcd15946448

  • SSDEEP

    1536:H3Mz8Egxge1V1ljohznpCzSzGcmRfFFAEfeeeeeeeeWeeeee:8wE/ebzjoppjzGcmRfFiE

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CDCFEDDB0ACA42E65E6A4822C1F23DF7C4AE92775EBCC0B45D4160B732B0983E.exe
    "C:\Users\Admin\AppData\Local\Temp\CDCFEDDB0ACA42E65E6A4822C1F23DF7C4AE92775EBCC0B45D4160B732B0983E.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\sysdfgrsv.exe
      C:\Windows\sysdfgrsv.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Local\Temp\914722307.exe
        C:\Users\Admin\AppData\Local\Temp\914722307.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windows\sylsplvc.exe
          C:\Windows\sylsplvc.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\Users\Admin\AppData\Local\Temp\89888560.exe
            C:\Users\Admin\AppData\Local\Temp\89888560.exe
            5⤵
            • Executes dropped EXE
            PID:2780
          • C:\Users\Admin\AppData\Local\Temp\282725857.exe
            C:\Users\Admin\AppData\Local\Temp\282725857.exe
            5⤵
            • Executes dropped EXE
            PID:3756
      • C:\Users\Admin\AppData\Local\Temp\573929258.exe
        C:\Users\Admin\AppData\Local\Temp\573929258.exe
        3⤵
        • Executes dropped EXE
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G8X408WQ\2[1]
    Filesize

    80KB

    MD5

    3cf4a7da80d8018e2610199cfa9e8e24

    SHA1

    257615963c9dde93e06e4842a5ca0f7bd35ca399

    SHA256

    91758b1a71d95017a26854eb8f085c4f826ef1aa3dc6ebd6f9a7b50bb2604e0d

    SHA512

    b0563ac79e617e4ad534ec34449162554afdb65438e8cd229c2b71e7093ed9ff28ef02f014ceb7bd68b528c8b51a7be110ed46974800885cc2cee6d077d127fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO8BH966\1[1]
    Filesize

    79KB

    MD5

    675271f472aa931977c2f22c80c23ae6

    SHA1

    c732d12f9a44e6b76eaeb828e9236c1523eff68e

    SHA256

    f8706ef31b6df9c8c0accc593a9c73521e6c66e95610f7f9032798637cb5695a

    SHA512

    e408569e31c767622f9d0d1b4b00f876740f3512dbd0802d47bfc6ec691a373e1c978ba6b070f403c68416cf7b0ea2eff568d156bdf52205c4ea4e3a571c3b9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO8BH966\3[1]
    Filesize

    9KB

    MD5

    8829e35b75628ecee6d143bb3e1aac39

    SHA1

    e8d5569cc01fa71c1a6ba4b0099d3cf8a7dd8fbe

    SHA256

    f38a60c9628d8876246218f67523ac5f37a179e9a5db0aa62114ea57817ae62e

    SHA512

    02175d25829c91fbb9c787013ca69cf5b61b8d86f74547b72b5b4a5cd05e24da401572b105f96287b0d6bb0c1382307bd65c1666a560b262a22b0272df4da1be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\573929258.exe
    Filesize

    9KB

    MD5

    16912f948cac55bb69a22b92c00de182

    SHA1

    0b5805bfd2fa7d192f2c3c6397328d8f151c1f14

    SHA256

    037baef94e1c3db51b49820492bdfa4534bb1ad5a590101d0b94c267db2cb1d4

    SHA512

    525056688644f78ff55387c3fbe102c6583cf5abb5175156f9b4281f70accf73289979b3a277bfe7e561934c4bb574e332daabce5a2e2d42f4676feb9f533823

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\914722307.exe
    Filesize

    79KB

    MD5

    6752eaef40de94374448ef64a36bf381

    SHA1

    c24a56262377d04ca0ed0acd6e283f9d8a63dac4

    SHA256

    2229c5279401c0df64c8fffdb866d8802bc8399581044b3c006d10ed48163781

    SHA512

    2291dc0b4e280c0c732fb756f4cdf7b90c6bc4a45ec5a77e5ececa64164aa81385f1b9886bab165b17d5c27fc6029a047fabc108a0d55f092189c924d0a946fd

    Download Submit

  • C:\Users\Admin\tbnds.dat
    Filesize

    4KB

    MD5

    f0af8d3a85b25e754f30f763e86f5623

    SHA1

    4da948c2be92ed78b8c0c839699272e81c90ef21

    SHA256

    456cc2c3e79e37f7be66bb2b4bf330cf61e965655ca70df0ead379461ce3341f

    SHA512

    92b7eef2f6f020d92ee9dd99df956379140e72a55ba2248752c652d1fbdea329b853b0cc99ca335ad17e5d6dcdeb1c7c265e320b014436f4610662a027234ee8

    Download Submit

  • C:\Users\Admin\tbnds.dat
    Filesize

    4KB

    MD5

    4224f82ff1476f448409d5d1d9e73a91

    SHA1

    9890d6fe2e871b9262bc9e211def1d9601169e65

    SHA256

    678c8e77c3239dc410a6081c4f6091f0074c6c7c3bacfad1e77aa48d51189a83

    SHA512

    5f89a5a210b634c4bd7de503c89de8d0d40b5043b052421c12bb73b21baafde3c8b98d3fd1899e61963fe7d05cca31deb7daa3e1c64bef9bd6616b8b83930c27

    Download Submit

  • C:\Windows\sysdfgrsv.exe
    Filesize

    79KB

    MD5

    c41fe8e266c0ee1ff4d563b158f285d4

    SHA1

    627107a8b664043e563c10ee1566a49ad3823483

    SHA256

    cdcfeddb0aca42e65e6a4822c1f23df7c4ae92775ebcc0b45d4160b732b0983e

    SHA512

    ed11b61188ebc99655d5c0cbdc84a58ea3ea1f6f6c2f440de245e8a453ccf45b07d1ffc3d4e2f55eb0f2bc0657069019d93beca86b31debaf8dabfcd15946448

    Download Submit