b066806fa69f212b043909ec55f01dbb2060296f1629a92a5c33be74751427a0

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Phoenix v1.4.exe
Size

6.1MB
MD5

77e12ffe45744e1b737c1b37112fd034
SHA1

69dd3bc2e3d87bb691df333ae42273a1f7b5e143
SHA256

b066806fa69f212b043909ec55f01dbb2060296f1629a92a5c33be74751427a0
SHA512

6e15e494eb95da98e0cbfdca6057e2cb61767f5bd8d972d7bba87c08a0dc61fbc4b9f4b4f47b72e78b71d3347601e1191e5f07d589a70bcd08ba70171fc579d5
SSDEEP

98304:aMLR1hBqbYl50ZGtvdjcnjtm0QhXmXoPKnXonPKpXe4vxOXeXpnUzf:aMFwYjntRYPOFPKwS1eMOXe5Uzf

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3368-9-0x0000000140000000-0x0000000140B32000-memory.dmp	vmprotect
behavioral2/memory/3368-19-0x0000000140000000-0x0000000140B32000-memory.dmp	vmprotect
behavioral2/memory/3368-23-0x0000000140000000-0x0000000140B32000-memory.dmp	vmprotect
behavioral2/memory/3588-45-0x0000000140000000-0x0000000140B32000-memory.dmp	vmprotect
behavioral2/memory/1544-59-0x0000000140000000-0x0000000140B32000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
13	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3368	Phoenix v1.4.exe
3588	Phoenix v1.4.exe
1544	Phoenix v1.4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3368	Phoenix v1.4.exe
3368	Phoenix v1.4.exe
3368	Phoenix v1.4.exe
3368	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
3588	Phoenix v1.4.exe
3588	Phoenix v1.4.exe
3588	Phoenix v1.4.exe
3588	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
1544	Phoenix v1.4.exe
1544	Phoenix v1.4.exe
1544	Phoenix v1.4.exe
1544	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	taskmgr.exe
Token: SeSystemProfilePrivilege	4596	taskmgr.exe
Token: SeCreateGlobalPrivilege	4596	taskmgr.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3368	Phoenix v1.4.exe
3368	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
3588	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
3588	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
3368	Phoenix v1.4.exe
3368	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
3588	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
3588	Phoenix v1.4.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe
4596	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3368	Phoenix v1.4.exe
3588	Phoenix v1.4.exe

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-59-0x0000000140000000-0x0000000140B32000-memory.dmp

Filesize
11.2MB

Download
memory/1544-68-0x00000000046E0000-0x00000000047F5000-memory.dmp

Filesize
1.1MB

Download
memory/1544-67-0x0000000000860000-0x00000000008E3000-memory.dmp

Filesize
524KB

Download
memory/3368-23-0x0000000140000000-0x0000000140B32000-memory.dmp

Filesize
11.2MB

Download
memory/3368-19-0x0000000140000000-0x0000000140B32000-memory.dmp

Filesize
11.2MB

Download
memory/3368-2-0x00007FFA8B260000-0x00007FFA8B262000-memory.dmp

Filesize
8KB

Download
memory/3368-6-0x00007FFA88C50000-0x00007FFA88C52000-memory.dmp

Filesize
8KB

Download
memory/3368-8-0x00007FFA8B280000-0x00007FFA8B282000-memory.dmp

Filesize
8KB

Download
memory/3368-9-0x0000000140000000-0x0000000140B32000-memory.dmp

Filesize
11.2MB

Download
memory/3368-7-0x00007FFA8B270000-0x00007FFA8B272000-memory.dmp

Filesize
8KB

Download
memory/3368-14-0x0000000002AC0000-0x0000000002B43000-memory.dmp

Filesize
524KB

Download
memory/3368-15-0x0000000002B50000-0x0000000002C65000-memory.dmp

Filesize
1.1MB

Download
memory/3368-17-0x0000000002B50000-0x0000000002C65000-memory.dmp

Filesize
1.1MB

Download
memory/3368-1-0x00007FFA8B250000-0x00007FFA8B252000-memory.dmp

Filesize
8KB

Download
memory/3368-4-0x00007FFA89A40000-0x00007FFA89A42000-memory.dmp

Filesize
8KB

Download
memory/3368-21-0x0000000002B50000-0x0000000002C65000-memory.dmp

Filesize
1.1MB

Download
memory/3368-20-0x0000000002AC0000-0x0000000002B43000-memory.dmp

Filesize
524KB

Download
memory/3368-22-0x0000000140131000-0x0000000140512000-memory.dmp

Filesize
3.9MB

Download
memory/3368-0-0x0000000140131000-0x0000000140512000-memory.dmp

Filesize
3.9MB

Download
memory/3368-3-0x00007FFA89A30000-0x00007FFA89A32000-memory.dmp

Filesize
8KB

Download
memory/3368-5-0x00007FFA88C40000-0x00007FFA88C42000-memory.dmp

Filesize
8KB

Download
memory/3368-18-0x0000000140131000-0x0000000140512000-memory.dmp

Filesize
3.9MB

Download
memory/3588-66-0x0000000002C20000-0x0000000002D35000-memory.dmp

Filesize
1.1MB

Download
memory/3588-65-0x0000000001160000-0x00000000011E3000-memory.dmp

Filesize
524KB

Download
memory/3588-64-0x0000000002C20000-0x0000000002D35000-memory.dmp

Filesize
1.1MB

Download
memory/3588-63-0x0000000001160000-0x00000000011E3000-memory.dmp

Filesize
524KB

Download
memory/3588-45-0x0000000140000000-0x0000000140B32000-memory.dmp

Filesize
11.2MB

Download
memory/4596-25-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-30-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-31-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-32-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-33-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-34-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-35-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-36-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-24-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download
memory/4596-26-0x000002BAD66C0000-0x000002BAD66C1000-memory.dmp

Filesize
4KB

Download