3816c836b3af21fcc7f05a71ad13b17aaa110be1ecee68aa18c22bf9729bca48

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phxnt0m-malware-main/Phxnt0mware RAT - main/resources/source_code/block_input.py
Size

2KB
MD5

5f2bdcfdb6d04d162edbd0be7322ad95
SHA1

7284ac9b666a14210a4c9257c0fea1e9e2feaf27
SHA256

509b26dcd0ad875488bcbebb4d0a9bb8e54d1d05f3cd8b068022b85ab4a1728e
SHA512

2d08d4bfc2baa40b9c1a4d9d429f3330965ed4ecc4a6819f9601e898767adb45b9c03cce1c10cb6f1656b5fd6dc4bb37f4a989db5a44ec2f1d4916cc220c0311

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2872	AcroRd32.exe
2872	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1780	2992	cmd.exe	32
PID 2992 wrote to memory of 1780	2992	cmd.exe	32
PID 2992 wrote to memory of 1780	2992	cmd.exe	32
PID 1780 wrote to memory of 2872	1780	rundll32.exe	33
PID 1780 wrote to memory of 2872	1780	rundll32.exe	33
PID 1780 wrote to memory of 2872	1780	rundll32.exe	33
PID 1780 wrote to memory of 2872	1780	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\source_code\block_input.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\source_code\block_input.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Phxnt0m-malware-main\Phxnt0mware RAT - main\resources\source_code\block_input.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3f88820076ed62e5d8185b8b7c044e91

SHA1
cca111ce9d5d5ffef5369eba437a81b62ae0fc85

SHA256
fb17757e9a76b7d3fa8d6d8173a2bf9a289b9caff1f60ed022f96fced5e604b3

SHA512
9cfb118a31cd92976b71ffd61880e65c2882018a8e360d9b65bdbad818ff74d302ccba704bcbd5a6173898177639a9d5cd617a4ff075f88ea994d40ae52d3fc6

Download Submit