Overview

overview

10

Static

static

10

c2dcdab49f...f4.exe

windows7-x64

10

c2dcdab49f...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    227s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4.exe

  • Size

    11KB

  • MD5

    3cb61ce448a806e79ce88d06e992cc9d

  • SHA1

    0a5e460360364f1b5799df7a2168892c04156bca

  • SHA256

    c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4

  • SHA512

    4d36781c5986a89d3bea470341223245abbd5e71de8233f2b0a969f0a258dda908588efef34fb354684760c631acb723711108e58ec3d068222ffe692d121380

  • SSDEEP

    192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U

Score
10/10
phorphiexdiscoveryloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://twizt.net

Signatures

  • Phorphiex family
    phorphiex
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4.exe
    "C:\Users\Admin\AppData\Local\Temp\c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:6008
    • C:\Users\Admin\winsvc.exe
      C:\Users\Admin\winsvc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\winsvc.exe
    Filesize

    11KB

    MD5

    3cb61ce448a806e79ce88d06e992cc9d

    SHA1

    0a5e460360364f1b5799df7a2168892c04156bca

    SHA256

    c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4

    SHA512

    4d36781c5986a89d3bea470341223245abbd5e71de8233f2b0a969f0a258dda908588efef34fb354684760c631acb723711108e58ec3d068222ffe692d121380

    Download Submit