Analysis Overview
SHA256
0db248dac7ab90d7f512d1be68237838fb3742e7a58d65c148fb9058bae1576f
Threat Level: Likely malicious
The file Phoenix v1.3.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 13:36
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 13:36
Reported
2024-06-10 13:39
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"
Network
Files
memory/1760-0-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-1-0x0000000076E40000-0x0000000076E42000-memory.dmp
memory/1760-2-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-4-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-5-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-3-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-6-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1760-7-0x0000000140000000-0x0000000140BD7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 13:36
Reported
2024-06-10 13:39
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"
C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| US | 8.8.8.8:53 | ifconfig.me | udp |
Files
memory/1784-0-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-1-0x00007FFFB0030000-0x00007FFFB0032000-memory.dmp
memory/1784-2-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-4-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-6-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-5-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-3-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-7-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-8-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-9-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-10-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1784-12-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-13-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-15-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-14-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-17-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-16-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-18-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-19-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-21-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-23-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-22-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-20-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-24-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-25-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/1424-26-0x0000000140000000-0x0000000140BD7000-memory.dmp
memory/3632-27-0x0000000140000000-0x0000000140BD7000-memory.dmp