Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2024 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749.exe

  • Size

    78KB

  • MD5

    efc57ed49a29d9c43f780ac57d9383ea

  • SHA1

    6feb772dab15a7004cccefd6e77aa47cafbb89ed

  • SHA256

    12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749

  • SHA512

    37f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3

  • SSDEEP

    1536:zITaqTFmav82AzaF1Pwr4xpimiwgaRS3B7A4HK:EutO4kwsamiRW2q4HK

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749.exe
    "C:\Users\Admin\AppData\Local\Temp\12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749.exe"
    1⤵
    • Modifies security service
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\3240914891.exe
      C:\Users\Admin\AppData\Local\Temp\3240914891.exe
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: SetClipboardViewer
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Local\Temp\1480822776.exe
        C:\Users\Admin\AppData\Local\Temp\1480822776.exe
        3⤵
        • Executes dropped EXE
        PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\4[1]
    Filesize

    86KB

    MD5

    fe1e93f12cca3f7c0c897ef2084e1778

    SHA1

    fb588491ddad8b24ea555a6a2727e76cec1fade3

    SHA256

    2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

    SHA512

    36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\1[1]
    Filesize

    89KB

    MD5

    908fe6989c453bc62faf18cdbdbc23d2

    SHA1

    b89a6770ef60173c7755775cde2749101f375d65

    SHA256

    d17bd74adb0124d1bf3c15fa565f542133876839c0d5c963817890fc1e1b177e

    SHA512

    b3d8a2daf2a3b5f3cb7cc76bdbd67a219633135c3100505cc18b967293abf0bf39243c482607d4ef923f05eeb6ed28f97442bf5f10f083baa1bce7783e395be8

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\5[1]
    Filesize

    80KB

    MD5

    2ff2bb06682812eeb76628bfbe817fbb

    SHA1

    18e86614d0f4904e1fe97198ccda34b25aab7dae

    SHA256

    985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

    SHA512

    5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

    Download Submit
  • C:\Users\Admin\tbtnds.dat
    Filesize

    4KB

    MD5

    d73cf76255ed3e90e72d98d28e8eddd3

    SHA1

    d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

    SHA256

    bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

    SHA512

    20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3240914891.exe
    Filesize

    89KB

    MD5

    a1151afcffa047deb643bb06b11ceacc

    SHA1

    537abe3abcfd2f2fc49ef1f61c0dba9ed36a1601

    SHA256

    cf9e35157404a4c1d64395076d7f76471b3738d86b09a26b39d7d97e40c03b90

    SHA512

    edeef562c3803a47d59ed19c8c72a22f25a18d3c6e98c202a376d152dc7d8a00bffcc1f64c3d3bb9284f409982bcb009463287e053bb7e95314d45f53ee782a0

    Download Submit