Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    9KB

  • MD5

    62b97cf4c0abafeda36e3fc101a5a022

  • SHA1

    328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

  • SHA256

    e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

  • SHA512

    32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

  • SSDEEP

    96:zM2BLwN8GXhc1I+a8gnYFdj9DSYp+BYA8v7cVO15uJxGE9YUBz2qh3C7tCE4ecp:AIwNfC1TUYv9p+OF8JxTmUBzthcqp

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Users\Admin\AppData\Local\Temp\112886470.exe
      C:\Users\Admin\AppData\Local\Temp\112886470.exe
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\2334519308.exe
        C:\Users\Admin\AppData\Local\Temp\2334519308.exe
        3⤵
        • Executes dropped EXE
        PID:4408
      • C:\Users\Admin\AppData\Local\Temp\2449911081.exe
        C:\Users\Admin\AppData\Local\Temp\2449911081.exe
        3⤵
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Drops file in Windows directory
        PID:4560
      • C:\Users\Admin\AppData\Local\Temp\3033916275.exe
        C:\Users\Admin\AppData\Local\Temp\3033916275.exe
        3⤵
        • Executes dropped EXE
        PID:2200
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2788

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    4
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\112886470.exe
      Filesize

      81KB

      MD5

      f4713c8ac5fc1e4919156157e7bece19

      SHA1

      7bd9e35b1d1210183bbb4fe1995895cbc1692c62

      SHA256

      2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

      SHA512

      ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2449911081.exe
      Filesize

      14KB

      MD5

      2f4ab1a4a57649200550c0906d57bc28

      SHA1

      94bc52ed3921791630b2a001d9565b8f1bd3bd17

      SHA256

      baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

      SHA512

      ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3033916275.exe
      Filesize

      8KB

      MD5

      c34a248f132e739652407b0aa8c978cd

      SHA1

      f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee

      SHA256

      4c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578

      SHA512

      f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703

      Download Submit