Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-12-2024 04:05
General
-
Target
e58916ea022411560a19b0e56234775f703a72959d0e6a69c5eab6e26764756e.exe
-
Size
31KB
-
MD5
43debf98fc1c322bfcf9780416bb9870
-
SHA1
ea11dbb236f540c12c89b912cdee346ad8b40fcb
-
SHA256
e58916ea022411560a19b0e56234775f703a72959d0e6a69c5eab6e26764756e
-
SHA512
99e87280dd0dc61f763deb8481b99800bd5ae62e0fea1bcf9c9c74736283871ce767869e5f02726caa9187acb9e0c375d1ff9e4a38fa8d73bd4e114942a41054
-
SSDEEP
768:Ie0FjkG2nBIdAOjm20DyXDabBJ3+seF7krPox:Ck7nZOjQDyza7eFWq
Malware Config
Extracted
phorphiex
http://185.215.113.93/
http://feedmefile.top/
http://gotsomefile.top/
http://gimmefile.top/
15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N
1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv
3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ
bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr
XkcKjKZqNUkChwJXMj5uDjDns6etXvakir
D7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb
0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdE
LfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTG
rUQFcff9R1eKAwTtR1wbuQxmcoB236mz44
TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TB
t1gTRxsrEXwky32j22jgFRZAafBzmCV2M2V
AT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3
bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr
44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822
GBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMV
bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgc
bc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Signatures
-
Phorphiex family
-
Phorphiex payload 5 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58916ea022411560a19b0e56234775f703a72959d0e6a69c5eab6e26764756e.exe"C:\Users\Admin\AppData\Local\Temp\e58916ea022411560a19b0e56234775f703a72959d0e6a69c5eab6e26764756e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\19886235268008\sedsvc.exeC:\19886235268008\sedsvc.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD543debf98fc1c322bfcf9780416bb9870
SHA1ea11dbb236f540c12c89b912cdee346ad8b40fcb
SHA256e58916ea022411560a19b0e56234775f703a72959d0e6a69c5eab6e26764756e
SHA51299e87280dd0dc61f763deb8481b99800bd5ae62e0fea1bcf9c9c74736283871ce767869e5f02726caa9187acb9e0c375d1ff9e4a38fa8d73bd4e114942a41054
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB