Overview

overview

10

Static

static

10

be068de9e7...8N.exe

windows7-x64

10

be068de9e7...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be068de9e770469a4969741b399e6e2c36e9dc1eb93ffd51c777b6f1aab97168N.exe

  • Size

    102KB

  • MD5

    5e4a29705f3aebceec775589526d58f0

  • SHA1

    feb9b4dd956f4158c7b18fe64813b88a2003ba88

  • SHA256

    be068de9e770469a4969741b399e6e2c36e9dc1eb93ffd51c777b6f1aab97168

  • SHA512

    93e24958d978066bdef7e59b6f1f2ae3389be8e5a84f8d148c5a057abf3b6785c3593c65fd130a65806f0bae193377738c8371e4e9cb9bbe88651ca30eae7217

  • SSDEEP

    1536:z3Mz8oy284usnjFzuNXoaSTM98qKH5Fn18CAkewoAd+ypy18FRn:YwofxFK5oagMNO5FyCAfKMypy1o

Score
10/10
phorphiexdiscoveryevasionloaderpersistencetrojanworm

Malware Config

Signatures

  • Phorphiex family
    phorphiex
  • Phorphiex payload 4 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be068de9e770469a4969741b399e6e2c36e9dc1eb93ffd51c777b6f1aab97168N.exe
    "C:\Users\Admin\AppData\Local\Temp\be068de9e770469a4969741b399e6e2c36e9dc1eb93ffd51c777b6f1aab97168N.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\wsecsvcmgr.exe
      C:\Windows\wsecsvcmgr.exe
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\wsecsvcmgr.exe
    Filesize

    102KB

    MD5

    5e4a29705f3aebceec775589526d58f0

    SHA1

    feb9b4dd956f4158c7b18fe64813b88a2003ba88

    SHA256

    be068de9e770469a4969741b399e6e2c36e9dc1eb93ffd51c777b6f1aab97168

    SHA512

    93e24958d978066bdef7e59b6f1f2ae3389be8e5a84f8d148c5a057abf3b6785c3593c65fd130a65806f0bae193377738c8371e4e9cb9bbe88651ca30eae7217

    Download Submit

  • memory/1304-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1304-9-0x0000000000220000-0x000000000023C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1304-8-0x0000000000220000-0x000000000023C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1304-10-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1612-13-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download