Overview

overview

10

Static

static

3

2024-04-12...uk.exe

windows7-x64

10

2024-04-12...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe

  • Size

    3.0MB

  • MD5

    cabc3c8eb0441e5ee6822be4766a9e4d

  • SHA1

    6bc0d0fe0bdce7849dd260126022e47f7099c9e9

  • SHA256

    1cb8ede8cc22d89f9a3c3e4e821926f82317617250150db17d234b2624b52a52

  • SHA512

    2340af738bed9266279b09520b1e0d671bead3398fdc7553d2eb1c07975ba629349c44ec62e7ab79223ef986512ff1b2d666755693d0cd1ae28deeee896e6a27

  • SSDEEP

    49152:zZ8lB2MHidF9CKpz7rVb3RObyfH9IhyUU8XWcE/4A+TDwlQuPZRa9/efG3hNDCTT:d8B27xXr14nwlQubFfG3hNDCTV

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-12_cabc3c8eb0441e5ee6822be4766a9e4d_ryuk.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\8FDC.exe
      "C:\Users\Admin\AppData\Local\Temp\8FDC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Users\Admin\AppData\Local\Temp\2361324715.exe
        C:\Users\Admin\AppData\Local\Temp\2361324715.exe
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Users\Admin\AppData\Local\Temp\226830419.exe
          C:\Users\Admin\AppData\Local\Temp\226830419.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Users\Admin\AppData\Local\Temp\275354733.exe
            C:\Users\Admin\AppData\Local\Temp\275354733.exe
            5⤵
            • Executes dropped EXE
            PID:5084
          • C:\Users\Admin\AppData\Local\Temp\3111528000.exe
            C:\Users\Admin\AppData\Local\Temp\3111528000.exe
            5⤵
            • Executes dropped EXE
            PID:4376
          • C:\Users\Admin\AppData\Local\Temp\2585132584.exe
            C:\Users\Admin\AppData\Local\Temp\2585132584.exe
            5⤵
            • Executes dropped EXE
            PID:2004
        • C:\Users\Admin\AppData\Local\Temp\2230522247.exe
          C:\Users\Admin\AppData\Local\Temp\2230522247.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Drops file in Windows directory
          PID:2076
        • C:\Users\Admin\AppData\Local\Temp\3098927184.exe
          C:\Users\Admin\AppData\Local\Temp\3098927184.exe
          4⤵
          • Executes dropped EXE
          PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8XRBHXP1\2[1]
    Filesize

    14KB

    MD5

    fce292c79288067dc17919ed588c161c

    SHA1

    bb44fa2c95af5bbd11e49264a40c16d6f343fa21

    SHA256

    4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

    SHA512

    73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\1[1]
    Filesize

    85KB

    MD5

    34a87206cee71119a2c6a02e0129718e

    SHA1

    806643ae1b7685d64c2796227229461c8d526cd6

    SHA256

    ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

    SHA512

    e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\5[1]
    Filesize

    8KB

    MD5

    93c0bd2539d4d4eb74fe6d41c928f66c

    SHA1

    c7a2010ebd934828e20450c5318c8e20168f4ba8

    SHA256

    5d9f88fcde1bd7fbe7ecba0dae737da96a55005b0d61c45c4251be0677195299

    SHA512

    b8c7cdad4cf1ffd9a3bb6ffb36dabec957169bd43e27f0ec48c19693dd014c09916c0df0a46e808dba0450707c89e7dba7d3ff439d763fbe1e4d8b09fad2aad6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2230522247.exe
    Filesize

    14KB

    MD5

    2f4ab1a4a57649200550c0906d57bc28

    SHA1

    94bc52ed3921791630b2a001d9565b8f1bd3bd17

    SHA256

    baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

    SHA512

    ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\226830419.exe
    Filesize

    85KB

    MD5

    10ffc145e1c09190a496a0e0527b4f3f

    SHA1

    e21fba21a11eecb4bc37638f48aed9f09d8912f6

    SHA256

    80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

    SHA512

    bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2361324715.exe
    Filesize

    84KB

    MD5

    161a475bfe57d8b5317ca1f2f24b88fa

    SHA1

    38fa8a789d3d7570c411ddf4c038d89524142c2c

    SHA256

    98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

    SHA512

    d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3098927184.exe
    Filesize

    8KB

    MD5

    80f97c916a3eb0e5663761ac5ee1ddd1

    SHA1

    4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

    SHA256

    9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

    SHA512

    85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8FDC.exe
    Filesize

    9KB

    MD5

    62b97cf4c0abafeda36e3fc101a5a022

    SHA1

    328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

    SHA256

    e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

    SHA512

    32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

    Download Submit
  • C:\Users\Admin\tbtnds.dat
    Filesize

    4KB

    MD5

    d73cf76255ed3e90e72d98d28e8eddd3

    SHA1

    d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

    SHA256

    bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

    SHA512

    20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

    Download Submit
  • C:\Users\Admin\tbtnds.dat
    Filesize

    4KB

    MD5

    2b3a8538703b92b6929893654fe11c71

    SHA1

    9aee11e5d8363583a9eaeee5e138df8063ef7d23

    SHA256

    50e1db0d011cee408730c4334addb8f5d15097b0fd8b30c2654883d24ad03bbb

    SHA512

    dacc87a4b2af3845665e8259aabe980c42a087ed98eefc90f5280b774556aabe6ce0a4a1e89dbb65506be006cb8bd8c73c89a5e836f4fce496309993a29126ca

    Download Submit