Analysis

  • max time kernel
    54s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 18:07

General

  • Target

    Phoenix/Phoenix.exe

  • Size

    5.2MB

  • MD5

    c13088b99e8076f39fe978e9e4de4160

  • SHA1

    05bfe502f8fa6c009ca367886f86b758ee8731ec

  • SHA256

    90ecb6a26339809cd5e08991d789f5313e9816e682134729f506d7940f564982

  • SHA512

    a0cdbf0f39360c15bd518d4e2ebe0c7524e3b4981ca5ee058e71967c12a343e423d35cd0b6056bcc17c4b1a753a39fd9b20d3efe412280c4ac6f0fab7ce766ce

  • SSDEEP

    98304:SkiOvMdhM/nj0roxYA3hvNkdiZXn+d6uvEw9nGDqg+/AFVdsO:ziOvMdSvj/xYA5+yX+dNvEw9yPc

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
    "C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dsc.gg/phoenix-nuker
      2⤵
        PID:1804
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3524 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:2816
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5024 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:2212
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4156
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5832 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:2200
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5596 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:1832
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4404 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:5008
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5612 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                  1⤵
                  • Modifies registry class
                  PID:208
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6236 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:1440
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5320 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:2532

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1196-0-0x000002B2C8640000-0x000002B2C8B84000-memory.dmp

                      Filesize

                      5.3MB

                    • memory/1196-1-0x00007FF8CB260000-0x00007FF8CBD21000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/1196-2-0x000002B2C8F90000-0x000002B2C8FA0000-memory.dmp

                      Filesize

                      64KB

                    • memory/1196-3-0x000002B2E3260000-0x000002B2E374E000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/1196-4-0x000002B2CA800000-0x000002B2CA8AE000-memory.dmp

                      Filesize

                      696KB

                    • memory/1196-5-0x000002B2E3750000-0x000002B2E3962000-memory.dmp

                      Filesize

                      2.1MB

                    • memory/1196-6-0x000002B2E30E0000-0x000002B2E3192000-memory.dmp

                      Filesize

                      712KB

                    • memory/1196-7-0x000002B2C8F90000-0x000002B2C8FA0000-memory.dmp

                      Filesize

                      64KB

                    • memory/1196-10-0x00007FF8CB260000-0x00007FF8CBD21000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/1196-11-0x000002B2C8F90000-0x000002B2C8FA0000-memory.dmp

                      Filesize

                      64KB