Analysis
-
max time kernel
123s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 18:34
General
-
Target
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe
-
Size
157KB
-
MD5
04739948ba1b0e0e5a36913914a19dae
-
SHA1
2c1622b237e6ea49a5297f3060d9b216a0760b32
-
SHA256
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
SHA512
811caf83ce7b583b720612f9e5c989726727804ae0af9c730fe0f8c46078ac0cea4e1bd0cfeb88cd8501de970a87771a9af9bcb53d6e4e6af4777d2f968894f5
-
SSDEEP
3072:xeZUO+PHKrXl0CFh5mlhQ+Z/KuSWviHJjqGXer4:xyd+P8CCFPmlq+IbhX04
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 19 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 38 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 23 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe"C:\Users\Admin\AppData\Local\Temp\0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\2260818184.exeC:\Users\Admin\AppData\Local\Temp\2260818184.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1784626033.exeC:\Users\Admin\AppData\Local\Temp\1784626033.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2433316683.exeC:\Users\Admin\AppData\Local\Temp\2433316683.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1106022031.exeC:\Users\Admin\AppData\Local\Temp\1106022031.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3208511234.exeC:\Users\Admin\AppData\Local\Temp\3208511234.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\2174018574.exeC:\Users\Admin\AppData\Local\Temp\2174018574.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7PZSSGQE\1[1]Filesize
81KB
MD501e5faba64d8e9a9c187831fdc819f4c
SHA1350a1a2bf237e64f43716262f99c632f5e01ba62
SHA2567f4f76bd8fa91a71ce7999f9bbd0f7a63ca82d4e96b4d99cfad98edde1d85450
SHA512f4bc09ab9e4579b82707d6420e3b9df9ec4fd77e11ce5eb8304b45e3b5c9403c01de4e50f3c7f03f00f3ebc921646794638dccfded199bfe5f3fd727f3e57782
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7PZSSGQE\5[1]Filesize
8KB
MD5145fc3dbf778aa2ba80af3d74eabfad6
SHA113dfeadb4b38c461f8b9d25853c0cae5d9a65f7c
SHA2565ab3bcaff0514c89388ea4958197ab0ff5bcc5999e1b95d830bc72da94bd4200
SHA5129bd7d50d489c4fc57ee1a0d3ad3cd2d29ca20f8ad1e46668a36d7ecced42db03a6980b039a2aeb7a1e1761aef89d994d73a497043ba744678290a8a9772a6306
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F7F58EW5\2[1]Filesize
14KB
MD5fce292c79288067dc17919ed588c161c
SHA1bb44fa2c95af5bbd11e49264a40c16d6f343fa21
SHA2564ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828
SHA51273dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e
-
C:\Users\Admin\AppData\Local\Temp\2174018574.exeFilesize
8KB
MD5c34a248f132e739652407b0aa8c978cd
SHA1f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee
SHA2564c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578
SHA512f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703
-
C:\Users\Admin\AppData\Local\Temp\2260818184.exeFilesize
81KB
MD5f4713c8ac5fc1e4919156157e7bece19
SHA17bd9e35b1d1210183bbb4fe1995895cbc1692c62
SHA2562be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b
SHA512ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f
-
C:\Users\Admin\AppData\Local\Temp\3208511234.exeFilesize
14KB
MD52f4ab1a4a57649200550c0906d57bc28
SHA194bc52ed3921791630b2a001d9565b8f1bd3bd17
SHA256baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa
SHA512ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8
-
C:\Users\Admin\sysvpplvcr.exeFilesize
162KB
MD543292053151ff87d1aa088763fb927ab
SHA1da6d81e27c8cdcceeebb69292639d62fd6ea991c
SHA256fbeb8de1d7037626e071209bc8a753d18f044fae81fda5ec366ad1e5787999e6
SHA5126c7e766d93090b9d8383bf3d9c782c08afedcde7a13c2c6fa43c14c96653fe6ad2043d57a9d53d6287afe53b272408eaa4e5fa5d8236cf039d098185bd03af64
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD573a114a8a15463801244f5b4e48086e8
SHA14053752e273dec27aba72d50f7c407d18a89fb53
SHA256f6fa0cbc174fd9a3cadd7be41ffe0d7e1df0e7defbe864fef4802a5cb322ee49
SHA512ab47374a4fb0bda016350d82639d5463289c802b1bbe29929b0089240bfb002ec09a1349e1b0c376543bac0266e8aae9f48d12f0492d713817b1395f6400612b
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD5d73cf76255ed3e90e72d98d28e8eddd3
SHA1d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5
SHA256bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781
SHA51220ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2
-
C:\Windows\sysvpplvcr.exeFilesize
162KB
MD50fa0da010a0f0cbb5b3f71f7999a7cfb
SHA1782ec2e3e5efdcc099cac4be5b90bd02af227d14
SHA2565b77531a093aa6da49687b4c9b8906429e83cec00a0c8eee3f4f55c7379a8f47
SHA512fae7e582984e1d9d9edac0cfb3ebba360485ebbbab08e56a4fe0f399458a019b3c73c74b0d62d9c3f0035767421cbf0184fc35b153a5d5cf7a4e927dc8c1decc
-
C:\Windows\winakrosvsa.exeFilesize
64KB
MD5c6723d0d751e8ee1845d0143702afcb3
SHA14e1bc30ad6364050e046d9c47270747cb91371a2
SHA256d7d4c9154cc812bbec1dd0f36d4dcc10f897755cabc94d9f3de3992496e8f813
SHA512ab4c1542c10843b4e5c965f7b01856d6e9ddabccd174cf8309080625dd2485fa17f97ad711fdbde10b26d55e0a2cd165ae262c43e2f827c734cb78486e79fad5
-
F:\iqtf.exeFilesize
100KB
MD592882c5aa33e22410c956407c807c822
SHA1f7fbf333cbc653359f41f4c0ee072b8685d4a514
SHA2563c2a8daa90a33236bc3a359fdc9bdfa679ba8ca655e9f3ea44c381484702f046
SHA51230e119fd8730798986af236c063a3f3decea9b3c673461578c9122dfd88e20086ed4760215cd6484156fb9847fe2bb8d5515d17755ba6373d4b7ca2d9776c9bf
-
memory/840-119-0x0000000003980000-0x0000000003982000-memory.dmpFilesize
8KB
-
memory/840-117-0x0000000003AD0000-0x0000000003AD1000-memory.dmpFilesize
4KB
-
memory/840-155-0x0000000003980000-0x0000000003982000-memory.dmpFilesize
8KB
-
memory/2736-140-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/2736-139-0x0000000000B00000-0x0000000000B02000-memory.dmpFilesize
8KB
-
memory/2736-161-0x0000000000B00000-0x0000000000B02000-memory.dmpFilesize
8KB
-
memory/2908-63-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-98-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-28-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-30-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-33-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-37-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-39-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-26-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-45-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-49-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-53-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-55-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-61-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-0-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2908-2-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-24-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-79-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/2908-78-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-23-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-4-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-6-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/2908-83-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-91-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-92-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-93-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-27-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-100-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-22-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-103-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-107-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-113-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-17-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-16-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-15-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-14-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-13-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-12-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-11-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-7-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/2908-10-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-5-0x0000000002390000-0x000000000341E000-memory.dmpFilesize
16.6MB
-
memory/2908-9-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/3408-159-0x0000000001370000-0x0000000001372000-memory.dmpFilesize
8KB
-
memory/3408-160-0x0000000001760000-0x0000000001761000-memory.dmpFilesize
4KB
-
memory/3408-162-0x0000000001370000-0x0000000001372000-memory.dmpFilesize
8KB
-
memory/4720-134-0x00000000020B0000-0x00000000020B2000-memory.dmpFilesize
8KB
-
memory/4720-71-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/4720-72-0x00000000020B0000-0x00000000020B2000-memory.dmpFilesize
8KB
-
memory/4720-73-0x00000000020B0000-0x00000000020B2000-memory.dmpFilesize
8KB