Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    88KB

  • MD5

    ababca6d12d96e8dd2f1d7114b406fae

  • SHA1

    dcd9798e83ec688aacb3de8911492a232cb41a32

  • SHA256

    a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

  • SHA512

    b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

  • SSDEEP

    1536:wL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:c0poOfP6+JuEjaaKHK

Score
10/10
phorphiexdiscoveryevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Attributes
  • mutex

    55a4er5wo

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\1076329146.exe
        C:\Users\Admin\AppData\Local\Temp\1076329146.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1096
      • C:\Users\Admin\AppData\Local\Temp\1185420511.exe
        C:\Users\Admin\AppData\Local\Temp\1185420511.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1076329146.exe
    Filesize

    12KB

    MD5

    8242045ff6b7bed00c8a94c77193f2de

    SHA1

    ea6e335f88b9d14e722bff8298469fe0d6c17199

    SHA256

    7217de31983e9e1e310d0bb28d8edc2f7d6e69f2abf32704b5ab74072ab48f74

    SHA512

    de3fa7426d115ee96c5ff328d31a3de476742b1cf9c7956f56c675bc9e94c175db32aeff6235c59d37df51b3b0dac79e002a97527fa0e4d02eee3ba4c4c2a39c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1185420511.exe
    Filesize

    7KB

    MD5

    ac0a159a6c219e2cea55dcc77ab6e337

    SHA1

    3e0e7c2e758dae61edf9f27860693a1910ba71aa

    SHA256

    e97496328c0d205a7ecb4ade75c1555fc7787ec54334468739c5c5cfd6566b3c

    SHA512

    4f29a8d75d71d553166f817474f316a80be4fb39d8b7b38336b172ad4c428bbc76b461ac02befca4b15ca42562cdb783a27b02d5eb8c1af2944e0d4e2acadc6a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\990933164.exe
    Filesize

    7KB

    MD5

    cdc59ec342e22103257f213fed156807

    SHA1

    0b7f95ab9fa24a7cea2e34b9aff3845a8923f96f

    SHA256

    ddf959ff63893ac8eb8ed9f877448072fe7b5fae741b3af3d5db5b06ac154678

    SHA512

    e215e2933636df7b5eecd21dd64a90de8e06d5bc41ce71673263ec36073ad926c3d3f6910b969eccf8e02458b0d580248df3c07e01d6ba9e6b1f7b3f14a34bb1

    Download Submit

  • C:\Windows\sysmablsvr.exe
    Filesize

    88KB

    MD5

    ababca6d12d96e8dd2f1d7114b406fae

    SHA1

    dcd9798e83ec688aacb3de8911492a232cb41a32

    SHA256

    a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

    SHA512

    b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

    Download Submit