Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 15:25
Behavioral task
behavioral1
Sample
Phija.exe
Resource
win7-20240221-en
General
-
Target
Phija.exe
-
Size
539KB
-
MD5
bd50ba38259a5c7a2a376ea20c16d895
-
SHA1
a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
-
SHA256
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
-
SHA512
30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
SSDEEP
12288:whymnwJFPNdgBAEHApqePJN1AmLM7uVq9sSYN:wUmwrl2Ao7sJNlM7ymsSYN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4508-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/624-17-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit behavioral2/memory/4508-16-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit behavioral2/memory/624-34-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4508-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/624-17-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat behavioral2/memory/4508-16-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat behavioral2/memory/624-34-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Phija.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Phija.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Phija.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phija.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Phija.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Phija.exe -
Executes dropped EXE 1 IoCs
Processes:
Phija.exepid process 624 Phija.exe -
Processes:
resource yara_rule behavioral2/memory/4508-0-0x0000000000400000-0x0000000000547000-memory.dmp upx C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exe upx behavioral2/memory/624-17-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/4508-16-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/624-34-0x0000000000400000-0x0000000000547000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Phija.exepid process 624 Phija.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Phija.exePhija.exedescription pid process Token: SeIncBasePriorityPrivilege 4508 Phija.exe Token: SeLoadDriverPrivilege 624 Phija.exe Token: 33 624 Phija.exe Token: SeIncBasePriorityPrivilege 624 Phija.exe Token: 33 624 Phija.exe Token: SeIncBasePriorityPrivilege 624 Phija.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Phija.execmd.exedescription pid process target process PID 4508 wrote to memory of 624 4508 Phija.exe Phija.exe PID 4508 wrote to memory of 624 4508 Phija.exe Phija.exe PID 4508 wrote to memory of 624 4508 Phija.exe Phija.exe PID 4508 wrote to memory of 696 4508 Phija.exe cmd.exe PID 4508 wrote to memory of 696 4508 Phija.exe cmd.exe PID 4508 wrote to memory of 696 4508 Phija.exe cmd.exe PID 696 wrote to memory of 912 696 cmd.exe PING.EXE PID 696 wrote to memory of 912 696 cmd.exe PING.EXE PID 696 wrote to memory of 912 696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Phija.exe"C:\Users\Admin\AppData\Local\Temp\Phija.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Phija.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exeFilesize
539KB
MD5bd50ba38259a5c7a2a376ea20c16d895
SHA1a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA25637d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA51230ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
memory/624-17-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/624-34-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4508-0-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4508-1-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4508-16-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB