Overview

overview

10

Static

static

10

16f57fec90...ad.exe

windows7-x64

10

16f57fec90...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f57fec906660d12fd7350d48b339c852379a22c1a7117de9573b5b44a38bad.exe

  • Size

    2.4MB

  • MD5

    41e482cd92834fac4e45c9de44102785

  • SHA1

    653a00ed747400d9dd0c8f362048a75ccef3b8c7

  • SHA256

    16f57fec906660d12fd7350d48b339c852379a22c1a7117de9573b5b44a38bad

  • SHA512

    70a123939478276908843acec2d6d30f7255e57eebab7f1de00bffd389abd304eb6237fd94a92d538e55c4ded0935bcd81aab24cbc332a397b833c32aad9ee46

  • SSDEEP

    24576:RnAnKcqafbuHDZS2Xqbzsbx+80kL1y4/pCb9vEYhqKDhQBz8NA66W8MX:mn7fq1SfzIx+4JdWEim8ALWXX

Score
10/10
phorphiexevasionloaderpersistencetrojanupxworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 20 IoCs
    evasiontrojan
  • UPX dump on OEP (original entry point) 5 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 23 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f57fec906660d12fd7350d48b339c852379a22c1a7117de9573b5b44a38bad.exe
    "C:\Users\Admin\AppData\Local\Temp\16f57fec906660d12fd7350d48b339c852379a22c1a7117de9573b5b44a38bad.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\96C3.exe
      "C:\Users\Admin\AppData\Local\Temp\96C3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Temp\1136611547.exe
        C:\Users\Admin\AppData\Local\Temp\1136611547.exe
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:928
        • C:\Users\Admin\AppData\Local\Temp\1220916630.exe
          C:\Users\Admin\AppData\Local\Temp\1220916630.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Users\Admin\AppData\Local\Temp\2179224006.exe
            C:\Users\Admin\AppData\Local\Temp\2179224006.exe
            5⤵
            • Executes dropped EXE
            PID:768
          • C:\Users\Admin\AppData\Local\Temp\283014518.exe
            C:\Users\Admin\AppData\Local\Temp\283014518.exe
            5⤵
            • Executes dropped EXE
            PID:1428
        • C:\Users\Admin\AppData\Local\Temp\236518824.exe
          C:\Users\Admin\AppData\Local\Temp\236518824.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Drops file in Windows directory
          PID:1100
    • C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
      C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
      2⤵
      • UAC bypass
      • Windows security bypass
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2164
      • C:\Users\Admin\AppData\Local\Temp\99A1.exe
        "C:\Users\Admin\AppData\Local\Temp\99A1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\3121214450.exe
          C:\Users\Admin\AppData\Local\Temp\3121214450.exe
          4⤵
          • Executes dropped EXE
          PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\2[1]
    Filesize

    14KB

    MD5

    523237b02336bef64600880c1bac79f0

    SHA1

    e91d1e4d3968b098aa8f11aa9d0633ba9fd9c228

    SHA256

    8064029f17c1460cc96b7baaefe0d07a638f1e23292adbd4fee00450b72e2954

    SHA512

    a6a8976bf8e93a555d9e92b6df18c35ad983f325da1677dda56df2a193ebbaa4f1490022e0b0587a3353d4a37f94ce051a3b3516cda1a77e03ef630cfa99780d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\newtpp[1].exe
    Filesize

    84KB

    MD5

    161a475bfe57d8b5317ca1f2f24b88fa

    SHA1

    38fa8a789d3d7570c411ddf4c038d89524142c2c

    SHA256

    98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

    SHA512

    d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\1[1]
    Filesize

    74KB

    MD5

    6bb80d4d0b4d1ee4e29555abb20cb9d6

    SHA1

    7eae9941d231c43cd9d4366815a56984ceb5eb29

    SHA256

    a57b4656cea0fd8f13c01790a8696a8aa98c9e34514ae8537ece9182c6bb5a3a

    SHA512

    ac2348e4f315c92fe18da1621cf7bf14594779157d0203ae2f97adee45134dff3183fb957d445b028dc931d787459aea4a62c1e8f7d136a062621f578d00f41f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\99A1.exe
    Filesize

    9KB

    MD5

    62b97cf4c0abafeda36e3fc101a5a022

    SHA1

    328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

    SHA256

    e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

    SHA512

    32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MusaLLaT.exe
    Filesize

    2.4MB

    MD5

    41e482cd92834fac4e45c9de44102785

    SHA1

    653a00ed747400d9dd0c8f362048a75ccef3b8c7

    SHA256

    16f57fec906660d12fd7350d48b339c852379a22c1a7117de9573b5b44a38bad

    SHA512

    70a123939478276908843acec2d6d30f7255e57eebab7f1de00bffd389abd304eb6237fd94a92d538e55c4ded0935bcd81aab24cbc332a397b833c32aad9ee46

    Download Submit

  • C:\Users\Admin\tbtnds.dat
    Filesize

    4KB

    MD5

    cf0e408d58559bf8f3b0fd6cd6719742

    SHA1

    c38138ff8bc24582b8ebcdbdc4e2cb4caa5a006c

    SHA256

    c0d8ca7bac5d7a2821c9a991dac93fba45ce3b149965c8e8f562a440c8974e64

    SHA512

    3f1e0ed88c2a3147b49af7b7910fa8d3ac6cbd3fc8bbff56914b96b497342b3268a6aaec49ada63dd6267c655d89c2d64e6470e15919000c4217cb0eea818cf5

    Download Submit

  • C:\Users\Admin\tbtnds.dat
    Filesize

    4KB

    MD5

    704eb8955ecb7880657a93c75dd0d879

    SHA1

    896bed2e99f99dbc161cfc7a2aa9d6ff874b3593

    SHA256

    a5afd07f3734e598a12e6ca31af5b9d4f403146d1886395eed6d19612cac85de

    SHA512

    c585f071fe899c273c0254c6d2b228dcd573c64bef9dcd6257fc932bb9176f6c88df518024e966611904be050a6a6db4526d49406d89307266fe737bfb254cf5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1220916630.exe
    Filesize

    74KB

    MD5

    25161ef1d1d05a269c1860f96081fa3b

    SHA1

    b8029ac4c070007faa5a4a3fca7e2dde7c69d91c

    SHA256

    b5b2bf900e374cd072ee613dc3171aee67158a84a7a920da62e66cce1bf86f0b

    SHA512

    74e124f6ac848391dca917c6e72a943eb85d1c5f43cc81aea801eb187b09929fd78ec7d96f7949aa4da27878e58fe1b57f9a1da2a357df5df5c0eba5bc87ee59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\236518824.exe
    Filesize

    14KB

    MD5

    48d6dd2b4c22dee12f22864fee59138e

    SHA1

    7928b1868e64b3bf432dc324dd193bc819c56637

    SHA256

    fca998a5e8a3814608ced450ace50399712490c78c178a0c163e7049707fa8cd

    SHA512

    4b8a3e5137c0fe6a5aaa0a4f66431754746340e3c4bd42b983ff07e9c068c27a8ca0f00c9e9d16b9c85200befeb791c58c01a6b9253f4195fc1f815c83742a53

    Download Submit

  • memory/2164-62-0x0000000000400000-0x00000000004A7DB0-memory.dmp

    Filesize

    671KB

    Download

  • memory/2164-23-0x0000000000400000-0x00000000004A7DB0-memory.dmp

    Filesize

    671KB

    Download

  • memory/2224-0-0x0000000000400000-0x00000000004A7DB0-memory.dmp

    Filesize

    671KB

    Download

  • memory/2224-21-0x0000000003CD0000-0x0000000003D78000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2224-22-0x0000000003CD0000-0x0000000003D78000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2224-35-0x0000000000400000-0x00000000004A7DB0-memory.dmp

    Filesize

    671KB

    Download