4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696

General

Target

4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
Size

26.1MB
MD5

c11bd68f0ea2c26136f863cfb99df68d
SHA1

f32112336c84626ba31258ea51d378ab9891801c
SHA256

4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696
SHA512

b53646c08550cb5311831f5a5dee467b808ff0eaa5411422e1f1e0036d3c9495b9987ab7570898d0f17011168b762461f73e583d5f9c1d4b76eb7c6ecff2a6c5
SSDEEP

393216:qR4u+DepixkkahO/Ria/mMZGhK13BLwk2YFr287+jX9Zmgr7nPvkA61EXwc7yhNx:e4u+SPfk/1kG19FNkygnPvks7yhAxtNa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2352	qln.exe
2316	LineInst.exe
5064	Phxph.exe
2460	Phxph.exe

Loads dropped DLL 8 IoCs

pid	Process
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Phxph.exe
File opened (read-only)	\??\M:	Phxph.exe
File opened (read-only)	\??\P:	Phxph.exe
File opened (read-only)	\??\X:	Phxph.exe
File opened (read-only)	\??\V:	Phxph.exe
File opened (read-only)	\??\W:	Phxph.exe
File opened (read-only)	\??\Y:	Phxph.exe
File opened (read-only)	\??\Z:	Phxph.exe
File opened (read-only)	\??\B:	Phxph.exe
File opened (read-only)	\??\J:	Phxph.exe
File opened (read-only)	\??\N:	Phxph.exe
File opened (read-only)	\??\S:	Phxph.exe
File opened (read-only)	\??\E:	Phxph.exe
File opened (read-only)	\??\G:	Phxph.exe
File opened (read-only)	\??\L:	Phxph.exe
File opened (read-only)	\??\U:	Phxph.exe
File opened (read-only)	\??\R:	Phxph.exe
File opened (read-only)	\??\T:	Phxph.exe
File opened (read-only)	\??\H:	Phxph.exe
File opened (read-only)	\??\K:	Phxph.exe
File opened (read-only)	\??\O:	Phxph.exe
File opened (read-only)	\??\Q:	Phxph.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phxph.exe	qln.exe
File opened for modification	C:\Windows\SysWOW64\Phxph.exe	qln.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
2352	qln.exe
2352	qln.exe
2352	qln.exe
2352	qln.exe
5064	Phxph.exe
2352	qln.exe
2352	qln.exe
5064	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LineInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1840	cmd.exe
9792	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Phxph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Phxph.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Phxph.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Phxph.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Phxph.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Phxph.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	Phxph.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	Phxph.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
9792	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe
2460	Phxph.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2352	qln.exe
Token: 33	2460	Phxph.exe
Token: SeIncBasePriorityPrivilege	2460	Phxph.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2352	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	30
PID 2084 wrote to memory of 2352	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	30
PID 2084 wrote to memory of 2352	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	30
PID 2084 wrote to memory of 2352	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	30
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 2084 wrote to memory of 2316	2084	4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe	31
PID 5064 wrote to memory of 2460	5064	Phxph.exe	35
PID 5064 wrote to memory of 2460	5064	Phxph.exe	35
PID 5064 wrote to memory of 2460	5064	Phxph.exe	35
PID 5064 wrote to memory of 2460	5064	Phxph.exe	35
PID 2352 wrote to memory of 1840	2352	qln.exe	34
PID 2352 wrote to memory of 1840	2352	qln.exe	34
PID 2352 wrote to memory of 1840	2352	qln.exe	34
PID 2352 wrote to memory of 1840	2352	qln.exe	34
PID 1840 wrote to memory of 9792	1840	cmd.exe	37
PID 1840 wrote to memory of 9792	1840	cmd.exe	37
PID 1840 wrote to memory of 9792	1840	cmd.exe	37
PID 1840 wrote to memory of 9792	1840	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe
"C:\Users\Admin\AppData\Local\Temp\4706e8e33e9d243632542d06d4dd59c21e0e728e95ee4bee65834ac61d8c6696.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\qln.exe
  "C:\Users\Admin\AppData\Local\Temp\qln.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\qln.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:9792
- C:\Users\Admin\AppData\Local\Temp\LineInst.exe
  "C:\Users\Admin\AppData\Local\Temp\LineInst.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\Phxph.exe
  C:\Windows\SysWOW64\Phxph.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BID9155.exe

Filesize
5.1MB

MD5
9385d34e271e1934d800bc91ee0a1800

SHA1
60e7f0e8c7815e360ebc473e10d430264b4fd758

SHA256
70ce9beda490ce6695c35b61440e71b94907134ac85f1bc23694e73a4c4a71e5

SHA512
48d5405646156779f5dfbb5304d572bf092759c75909761caa0462dee91c86e1cb5ee11db11ef1409af4318494a30f28327ba4cbbb7065f268b27fc51921b1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qln.exe

Filesize
27.3MB

MD5
f9d4a4c93c769108a010dd8a1c7f3cdb

SHA1
544448693eda94e35201ee220294250c4bbe9a51

SHA256
fea7547e78ba91f0b72162ce9a4ec2f419446c57fa008fffe4c92eadc594aab0

SHA512
1f362c032469027da4d7852315174cc4535cafc635790f8ef51ebbfaa84b46bfbe5abf6975c858e134d76995c6948fcc64113a9d5be51a2626dabd6bf7be14c3

Download Submit
\Users\Admin\AppData\Local\Temp\LineInst.exe

Filesize
1004KB

MD5
587e3bc21efaf428c87331decc9bfeb3

SHA1
a5b8ebeab4e3968673a61a95350b7f0bf60d7459

SHA256
b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120

SHA512
ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca

Download Submit
memory/2084-23-0x0000000004010000-0x0000000005B68000-memory.dmp

Filesize
27.3MB

Download
memory/2084-24-0x0000000004010000-0x0000000005B68000-memory.dmp

Filesize
27.3MB

Download
memory/2352-854-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-882-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-876-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-874-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-872-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-870-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-868-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-866-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-864-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-862-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-860-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-858-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-856-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-39-0x0000000075730000-0x0000000075777000-memory.dmp

Filesize
284KB

Download
memory/2352-852-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-850-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-849-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-878-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-880-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-884-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-886-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-888-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-890-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-910-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-908-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-906-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-904-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-902-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-900-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-898-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-896-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-894-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-892-0x0000000003CC0000-0x0000000003DD1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads