Overview

overview

10

Static

static

3

2024-10-16...uk.exe

windows7-x64

10

2024-10-16...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk

  • Size

    2.1MB

  • Sample

    241016-a8n64aydpm

  • MD5

    ca22db896e169195523be246ee685e4d

  • SHA1

    c7f399c2314dbd81da4a6ce5ec7875181bad7e5f

  • SHA256

    9106395ddc362fe7b169d97eb7266c85e91b9d1c1934e27e2ea06ac8fa947e2d

  • SHA512

    180b91fd83c496dd4f63a1b60e07daea50fa84b5ca56ff1b4848c45603870fa70ba6d32458a24a3d03a1120ee0e72013a703a941ea2723b8270f76cf3b4323ce

  • SSDEEP

    24576:TxSXu0frXd2agL9T+YEt5RFgbBbx97z7fIoggWD:TxSe0zXUagBTpEHRqbBvz7Rg

Score
10/10
phorphiexxmrigdiscoveryevasionexecutionloaderminerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
Attributes
  • mutex

    mmn7nnm8na

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Targets

    • Target

      2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk

    • Size

      2.1MB

    • MD5

      ca22db896e169195523be246ee685e4d

    • SHA1

      c7f399c2314dbd81da4a6ce5ec7875181bad7e5f

    • SHA256

      9106395ddc362fe7b169d97eb7266c85e91b9d1c1934e27e2ea06ac8fa947e2d

    • SHA512

      180b91fd83c496dd4f63a1b60e07daea50fa84b5ca56ff1b4848c45603870fa70ba6d32458a24a3d03a1120ee0e72013a703a941ea2723b8270f76cf3b4323ce

    • SSDEEP

      24576:TxSXu0frXd2agL9T+YEt5RFgbBbx97z7fIoggWD:TxSe0zXUagBTpEHRqbBvz7Rg

    Score
    10/10
    phorphiexxmrigdiscoveryevasionexecutionloaderminerpersistencespywarestealertrojanworm

    • Modifies security service

      evasion

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks