Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 01:36

General

  • Target

    aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059.exe

  • Size

    11KB

  • MD5

    59c9da9fe35e01962f605570d31b0d93

  • SHA1

    5ff4b2b6b8de81848ea2bbbaf47c408798f8497a

  • SHA256

    aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059

  • SHA512

    5ed16754e11db17dfbe50c435ae4186d494e8f11c7e47e663378ef57b46a2a638d7293a2728d06919be566c3806fbbc4958903d9a61389ca7d805e0a014e9cc4

  • SSDEEP

    192:x5S4bB5cUNN8Vflr4hegCrJJfxMLkWScZqYSi/H:x5S4RNQsgxTxMQWSc9

Malware Config

Extracted

Family

phorphiex

C2

http://twizt.net

Signatures

  • Phorphiex family
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059.exe
    "C:\Users\Admin\AppData\Local\Temp\aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\winsvc.exe
      C:\Users\Admin\winsvc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2748

Network

  • flag-us
    DNS
    twizt.net
    winsvc.exe
    Remote address:
    8.8.8.8:53
    Request
    twizt.net
    IN A
    Response
    twizt.net
    IN A
    185.215.113.66
  • flag-ru
    GET
    http://twizt.net/preload.php
    aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059.exe
    Remote address:
    185.215.113.66:80
    Request
    GET /preload.php HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
    Host: twizt.net
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 04 Dec 2024 01:36:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-ru
    GET
    http://twizt.net/vncprel.exe
    winsvc.exe
    Remote address:
    185.215.113.66:80
    Request
    GET /vncprel.exe HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Host: twizt.net
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.18.0 (Ubuntu)
    Date: Wed, 04 Dec 2024 01:36:57 GMT
    Content-Type: text/html
    Content-Length: 564
    Connection: keep-alive
  • 185.215.113.66:80
    http://twizt.net/preload.php
    http
    aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059.exe
    456 B
    540 B
    6
    4

    HTTP Request

    GET http://twizt.net/preload.php

    HTTP Response

    200
  • 185.215.113.66:80
    http://twizt.net/vncprel.exe
    http
    winsvc.exe
    771 B
    1.7kB
    13
    5

    HTTP Request

    GET http://twizt.net/vncprel.exe

    HTTP Response

    404
  • 8.8.8.8:53
    twizt.net
    dns
    winsvc.exe
    55 B
    71 B
    1
    1

    DNS Request

    twizt.net

    DNS Response

    185.215.113.66

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\winsvc.exe

    Filesize

    11KB

    MD5

    59c9da9fe35e01962f605570d31b0d93

    SHA1

    5ff4b2b6b8de81848ea2bbbaf47c408798f8497a

    SHA256

    aa90c2cdee8278a423f4104038b5817962471bebde82c4124a5b9d47f9d07059

    SHA512

    5ed16754e11db17dfbe50c435ae4186d494e8f11c7e47e663378ef57b46a2a638d7293a2728d06919be566c3806fbbc4958903d9a61389ca7d805e0a014e9cc4

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.