Overview

overview

10

Static

static

10

714787dde3...b2.exe

windows10-1703-x64

10

714787dde3...b2.exe

windows7-x64

10

714787dde3...b2.exe

windows10-1703-x64

10

714787dde3...b2.exe

windows10-2004-x64

10

714787dde3...b2.exe

windows11-21h2-x64

10

Resubmissions

18-04-2024 11:51

240418-n1frmscd22 10

18-04-2024 11:51

240418-n1dmaadd8y 10

18-04-2024 11:51

240418-n1cpzscc95 10

18-04-2024 11:51

240418-n1b4fscc92 10

18-04-2024 11:51

240418-n1a66acc85 10

18-04-2024 10:01

240418-l19nlsbb31 10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-04-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    714787dde305a03fe0bf0fe87923f814db1736fdfbb4ad38ec95536f152abfb2.exe

  • Size

    100KB

  • MD5

    a8f401d424c87dbff0dd679c792f8cb0

  • SHA1

    b1413e3019c6c201288a238191e5c4baa329b749

  • SHA256

    714787dde305a03fe0bf0fe87923f814db1736fdfbb4ad38ec95536f152abfb2

  • SHA512

    ab61d78dd7c2979ed97af85ab62f43cd34043e2a31821185c8c09622d6d8d39598813059d775c2195b9c3d03439a29cf261578555d9e86071a90ac048a2f9f31

  • SSDEEP

    3072:zhmiYp+ZDI5/azNzMzCnd1B2KkhKQciyY4N6lPxbAFS8CF5:dmiYMluaNzMzCnt2KkhKQciyY4N6dxso

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 1 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\714787dde305a03fe0bf0fe87923f814db1736fdfbb4ad38ec95536f152abfb2.exe
    "C:\Users\Admin\AppData\Local\Temp\714787dde305a03fe0bf0fe87923f814db1736fdfbb4ad38ec95536f152abfb2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\29054243829258\dwm.exe
      C:\29054243829258\dwm.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\3034717148.exe
        C:\Users\Admin\AppData\Local\Temp\3034717148.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\sylsplvc.exe
          C:\Windows\sylsplvc.exe
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Users\Admin\AppData\Local\Temp\60322071.exe
            C:\Users\Admin\AppData\Local\Temp\60322071.exe
            5⤵
            • Modifies security service
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: SetClipboardViewer
            PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\29054243829258\dwm.exe
    Filesize

    100KB

    MD5

    a8f401d424c87dbff0dd679c792f8cb0

    SHA1

    b1413e3019c6c201288a238191e5c4baa329b749

    SHA256

    714787dde305a03fe0bf0fe87923f814db1736fdfbb4ad38ec95536f152abfb2

    SHA512

    ab61d78dd7c2979ed97af85ab62f43cd34043e2a31821185c8c09622d6d8d39598813059d775c2195b9c3d03439a29cf261578555d9e86071a90ac048a2f9f31

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3034717148.exe
    Filesize

    79KB

    MD5

    1e8a2ed2e3f35620fb6b8c2a782a57f3

    SHA1

    e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

    SHA256

    3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

    SHA512

    ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\60322071.exe
    Filesize

    81KB

    MD5

    f4713c8ac5fc1e4919156157e7bece19

    SHA1

    7bd9e35b1d1210183bbb4fe1995895cbc1692c62

    SHA256

    2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

    SHA512

    ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f

    Download Submit