Overview

overview

10

Static

static

3

2024-04-12...uk.exe

windows7-x64

10

2024-04-12...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2024 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe

  • Size

    3.0MB

  • MD5

    cabc3c8eb0441e5ee6822be4766a9e4d

  • SHA1

    6bc0d0fe0bdce7849dd260126022e47f7099c9e9

  • SHA256

    1cb8ede8cc22d89f9a3c3e4e821926f82317617250150db17d234b2624b52a52

  • SHA512

    2340af738bed9266279b09520b1e0d671bead3398fdc7553d2eb1c07975ba629349c44ec62e7ab79223ef986512ff1b2d666755693d0cd1ae28deeee896e6a27

  • SSDEEP

    49152:zZ8lB2MHidF9CKpz7rVb3RObyfH9IhyUU8XWcE/4A+TDwlQuPZRa9/efG3hNDCTT:d8B27xXr14nwlQubFfG3hNDCTV

Score
10/10
phorphiexxmrigevasionloaderminerpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Users\Admin\AppData\Local\Temp\57B1.exe
          "C:\Users\Admin\AppData\Local\Temp\57B1.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Users\Admin\AppData\Local\Temp\1790324151.exe
            C:\Users\Admin\AppData\Local\Temp\1790324151.exe
            4⤵
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Users\Admin\AppData\Local\Temp\2439230152.exe
              C:\Users\Admin\AppData\Local\Temp\2439230152.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: SetClipboardViewer
              • Suspicious use of WriteProcessMemory
              PID:112
              • C:\Users\Admin\AppData\Local\Temp\284554659.exe
                C:\Users\Admin\AppData\Local\Temp\284554659.exe
                6⤵
                • Executes dropped EXE
                PID:2756
              • C:\Users\Admin\AppData\Local\Temp\949227939.exe
                C:\Users\Admin\AppData\Local\Temp\949227939.exe
                6⤵
                • Executes dropped EXE
                PID:2084
              • C:\Users\Admin\AppData\Local\Temp\2938532461.exe
                C:\Users\Admin\AppData\Local\Temp\2938532461.exe
                6⤵
                • Executes dropped EXE
                PID:1824
            • C:\Users\Admin\AppData\Local\Temp\1672122500.exe
              C:\Users\Admin\AppData\Local\Temp\1672122500.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Drops file in Windows directory
              PID:2868
            • C:\Users\Admin\AppData\Local\Temp\397227838.exe
              C:\Users\Admin\AppData\Local\Temp\397227838.exe
              5⤵
              • Executes dropped EXE
              PID:2904
            • C:\Users\Admin\AppData\Local\Temp\220612160.exe
              C:\Users\Admin\AppData\Local\Temp\220612160.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Users\Admin\AppData\Local\Temp\3162725068.exe
                C:\Users\Admin\AppData\Local\Temp\3162725068.exe
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:2644
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
        2⤵
          PID:3036
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:1160
        • C:\Windows\System32\notepad.exe
          C:\Windows\System32\notepad.exe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1000
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {97A95815-05BC-416D-AE77-842041374A38} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
          "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3SGP9G0V\1[1]
        Filesize

        85KB

        MD5

        34a87206cee71119a2c6a02e0129718e

        SHA1

        806643ae1b7685d64c2796227229461c8d526cd6

        SHA256

        ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

        SHA512

        e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3SGP9G0V\5[1]
        Filesize

        8KB

        MD5

        93c0bd2539d4d4eb74fe6d41c928f66c

        SHA1

        c7a2010ebd934828e20450c5318c8e20168f4ba8

        SHA256

        5d9f88fcde1bd7fbe7ecba0dae737da96a55005b0d61c45c4251be0677195299

        SHA512

        b8c7cdad4cf1ffd9a3bb6ffb36dabec957169bd43e27f0ec48c19693dd014c09916c0df0a46e808dba0450707c89e7dba7d3ff439d763fbe1e4d8b09fad2aad6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\2[1]
        Filesize

        14KB

        MD5

        fce292c79288067dc17919ed588c161c

        SHA1

        bb44fa2c95af5bbd11e49264a40c16d6f343fa21

        SHA256

        4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

        SHA512

        73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1790324151.exe
        Filesize

        84KB

        MD5

        161a475bfe57d8b5317ca1f2f24b88fa

        SHA1

        38fa8a789d3d7570c411ddf4c038d89524142c2c

        SHA256

        98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

        SHA512

        d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\57B1.exe
        Filesize

        9KB

        MD5

        62b97cf4c0abafeda36e3fc101a5a022

        SHA1

        328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

        SHA256

        e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

        SHA512

        32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        2796f814b4d08f3d23b2e6f0a4059a01

        SHA1

        23f81ef7fb6f0960ec4e6739b8bef621a23ae4d1

        SHA256

        22d57d708bd27267593ba3231e8fb99357e000ab44e60118525f82c95b6dc95c

        SHA512

        b803bbea57fee9b0f297c907931b9a31009c2b5f5d70b4e1b2471b620443c86f2bca4750dc4ce72b2c56db3db840e1091c2fa89158195a301f17db52f7bf36a3

        Download Submit

      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        3eb3a4b6c3f9b33a8044ab26d996dac9

        SHA1

        61576b732c8ad674804a0a6bd58b8e37c8c3b56d

        SHA256

        ac52636f1d8a9f6d63c71d970807443276453ffdc5f51381af1316b2436c6cde

        SHA512

        373d4a684d782685e3f2d3f22b2028610713265ceb207349c093ea0b5f79ef481450b7537c75777a4e930a53a4d400ab4846ffbfe229f8ea560c61014f0de0f6

        Download Submit

      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        e2f1f72c75b29ae98b0b7009cc0f0828

        SHA1

        6dd274121bccf155429a8db50e0502d7f5c25de5

        SHA256

        f52850d4212a4fb73b4e69bff3c3f17f8ea413088e2a1204e838c7bd7ab1de70

        SHA512

        0d5c66c6b9bf0fcacc36f44be4e614b88bb08ce7817cd0ed2c24e5ea527532a5d93133ad076f97e2ba862de73ebb01297a4003372c0279414a54b3a3b4c91acf

        Download Submit

      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        a935f18d76a75847e777f7e7737b96cb

        SHA1

        b2af8a03c3b7551864248882264255734085f8d8

        SHA256

        0f7651353e09379bbf5be9d7ca3b2493888d0559aea389b4bed2461974a440a9

        SHA512

        9e4dd810bf7d9b6414c852d76fb56596adc440fb35949320dd125bea8ce1d28989e648c8d83bc4dcff51f848f20245ad592a931f4e92dfef50e5507b58c69c6d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\1672122500.exe
        Filesize

        14KB

        MD5

        2f4ab1a4a57649200550c0906d57bc28

        SHA1

        94bc52ed3921791630b2a001d9565b8f1bd3bd17

        SHA256

        baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

        SHA512

        ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

        Download Submit

      • \Users\Admin\AppData\Local\Temp\220612160.exe
        Filesize

        6KB

        MD5

        0d539e8277f20391a31babff8714fdb0

        SHA1

        a4e63870aa5fd258dde4f02be70732c27f556fa9

        SHA256

        669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

        SHA512

        700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

        Download Submit

      • \Users\Admin\AppData\Local\Temp\2439230152.exe
        Filesize

        85KB

        MD5

        10ffc145e1c09190a496a0e0527b4f3f

        SHA1

        e21fba21a11eecb4bc37638f48aed9f09d8912f6

        SHA256

        80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

        SHA512

        bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\3162725068.exe
        Filesize

        5.4MB

        MD5

        41ab08c1955fce44bfd0c76a64d1945a

        SHA1

        2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

        SHA256

        dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

        SHA512

        38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

        Download Submit

      • \Users\Admin\AppData\Local\Temp\397227838.exe
        Filesize

        8KB

        MD5

        80f97c916a3eb0e5663761ac5ee1ddd1

        SHA1

        4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

        SHA256

        9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

        SHA512

        85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

        Download Submit

      • memory/1000-153-0x0000000000300000-0x0000000000320000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1000-152-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1756-151-0x000000013F9D0000-0x000000013FF46000-memory.dmp

        Filesize

        5.5MB

        Download

      • memory/1972-143-0x0000000002480000-0x0000000002500000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1972-145-0x0000000002480000-0x0000000002500000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1972-148-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1972-144-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1972-146-0x0000000002480000-0x0000000002500000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1972-147-0x0000000002480000-0x0000000002500000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1972-142-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1972-140-0x000000001B0A0000-0x000000001B382000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1972-141-0x00000000022D0000-0x00000000022D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2144-131-0x000000013FF70000-0x00000001404E6000-memory.dmp

        Filesize

        5.5MB

        Download

      • memory/2652-124-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2652-122-0x0000000002630000-0x00000000026B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2652-128-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2652-126-0x0000000002630000-0x00000000026B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2652-127-0x0000000002630000-0x00000000026B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2652-125-0x0000000002630000-0x00000000026B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2652-123-0x00000000022B0000-0x00000000022B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2652-120-0x000000001B160000-0x000000001B442000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2652-121-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

        Filesize

        9.6MB

        Download