Extracted

• • Target

    84eaf3c48a49c2604f28a9b9ef6ce47df9aef7c8d1b7da710dd6c34d1a4d05ceN

  • Size

    10KB

  • MD5

    005c3132eec6d97710f943f451006b50

  • SHA1

    0729c5137b1df9c0cb6c6df783c3e9f601dd9a0e

  • SHA256

    84eaf3c48a49c2604f28a9b9ef6ce47df9aef7c8d1b7da710dd6c34d1a4d05ce

  • SHA512

    19610f2c10f2dcb8fb09bea9af2457ce74fed7ba7ab57186018112d9b7a23b686317724756a2a8ccbcc6e3c4620811702b03c47726149d5ac41a3c39cf677d0c

  • SSDEEP

    96:SPX8jFyRW/k60KzTX7y8uQdtJDoy9+tQKdPiW0ffli/dq1JxGEh32qhlC7tCE5gI:SPXAyRl6BO8j9+6KBB/gJxTh3thW5gV

  Score

  10^/10

  phorphiexxmrigdiscoveryevasionexecutionloaderminerpersistencetrojanworm

  • Modifies security service

    evasion

  • Phorphiex family

    phorphiex

  • Phorphiex payload

  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Xmrig family

    xmrig

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2