Overview

overview

10

Static

static

3

2024-04-15...uk.exe

windows7-x64

10

2024-04-15...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-15_4e1d1fc6c276c6df5a69012b2e7b72ea_ryuk.exe

  • Size

    354KB

  • MD5

    4e1d1fc6c276c6df5a69012b2e7b72ea

  • SHA1

    9f20916ca1b4d0f962ffc4bf95fafb38a0c06b68

  • SHA256

    6c00f372f51e691714fedf0418e9fbeb99f07f1e39bf340941ef59a24fe834cd

  • SHA512

    8841188a7dd6ec556333a92c8f394c7b377433183486043c16baf0ec2246056a8f1b684539553896e0de633c2c2b73f077a9a7e0d8f7428d56f79f855ab37322

  • SSDEEP

    6144:P1AtjM+EVs7+W7d2lw4GAcstxxIHohqJpyQysE:t+M+FdCGAfUo0aQysE

Score
10/10
phorphiexevasionloaderpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-15_4e1d1fc6c276c6df5a69012b2e7b72ea_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-15_4e1d1fc6c276c6df5a69012b2e7b72ea_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\2D88.exe
      "C:\Users\Admin\AppData\Local\Temp\2D88.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Users\Admin\AppData\Local\Temp\53447286.exe
        C:\Users\Admin\AppData\Local\Temp\53447286.exe
        3⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Users\Admin\AppData\Local\Temp\1112112072.exe
          C:\Users\Admin\AppData\Local\Temp\1112112072.exe
          4⤵
          • Executes dropped EXE
          PID:4404
        • C:\Users\Admin\AppData\Local\Temp\204103897.exe
          C:\Users\Admin\AppData\Local\Temp\204103897.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Drops file in Windows directory
          PID:1312
        • C:\Users\Admin\AppData\Local\Temp\1052328235.exe
          C:\Users\Admin\AppData\Local\Temp\1052328235.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
            "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
            5⤵
            • Executes dropped EXE
            PID:2964
          • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
            "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
            5⤵
            • Executes dropped EXE
            PID:3000
          • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
            "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
            5⤵
            • Executes dropped EXE
            PID:3516
        • C:\Users\Admin\AppData\Local\Temp\1790926441.exe
          C:\Users\Admin\AppData\Local\Temp\1790926441.exe
          4⤵
          • Executes dropped EXE
          PID:4764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1052328235.exe
    Filesize

    10KB

    MD5

    0ed58505911ae244fa62cbd899612bb7

    SHA1

    f6ec97ec48d33f752c90ac5fd0b9314d7b505a22

    SHA256

    8b2b24a2c1f47acf527a8acc704fc77aecc036b09cdbd96ef32d3cf43ddce578

    SHA512

    c4508e90025521b537e9eb13b8c15990aa893b22ebd090e96ce53efa4b333184c99abcccf6bc90ad5d6e53a13883ec711da43f7083216edd7f403fe05dd1c983

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1790926441.exe
    Filesize

    8KB

    MD5

    c34a248f132e739652407b0aa8c978cd

    SHA1

    f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee

    SHA256

    4c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578

    SHA512

    f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\204103897.exe
    Filesize

    14KB

    MD5

    2f4ab1a4a57649200550c0906d57bc28

    SHA1

    94bc52ed3921791630b2a001d9565b8f1bd3bd17

    SHA256

    baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

    SHA512

    ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2D88.exe
    Filesize

    9KB

    MD5

    62b97cf4c0abafeda36e3fc101a5a022

    SHA1

    328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

    SHA256

    e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

    SHA512

    32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\53447286.exe
    Filesize

    81KB

    MD5

    f4713c8ac5fc1e4919156157e7bece19

    SHA1

    7bd9e35b1d1210183bbb4fe1995895cbc1692c62

    SHA256

    2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

    SHA512

    ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
    Filesize

    20KB

    MD5

    f4355af73c2dd6e8eb69f29570431f6a

    SHA1

    a0ba95d51d98fd602ab29531a7b0695496657a74

    SHA256

    31be31131a00b743ea598caf706b7c08703d98c3b90aed0523a0aace6ebe318c

    SHA512

    ea8cc7f93bf52da4a9637e40066606091883176914ae45af5fcb7323b48b832bdf8a67e1527bc549d7aacf964dc1ca2b2305e78552c55ebb128f987e9f0112c1

    Download Submit