General
-
Target
2025-05-09_ca74ebacf85c1f6fa4a48e7a4a5c7283_hijackloader_ryuk
-
Size
102KB
-
Sample
250509-nwa1lavmy2
-
MD5
ca74ebacf85c1f6fa4a48e7a4a5c7283
-
SHA1
e57b7320e6ff9484e4311319b98e4f01e7064145
-
SHA256
91ce36c16923ef8cf935a738797c82a2c193d3e05724793d08ba37a5f7f6b808
-
SHA512
f1c28806c046efd618b2daba1582c65ad6d441305d422fd7759f792dc264c7f125adf3788c56150137a30f6232b1d954ff987ae93488b67d2dead39f803af300
-
SSDEEP
1536:50jfW3cpW0PIZ88fCb2tD1cnkgSLsWcgdc9dl0QJhA9Klfx:mjE+/PAsboD1ukD+KU6uq
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-09_ca74ebacf85c1f6fa4a48e7a4a5c7283_hijackloader_ryuk.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
phorphiex
http://185.156.72.39/
http://185.215.113.66/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
h7g5df54sdf
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.156.72.39
185.156.72.39
Targets
-
-
Target
2025-05-09_ca74ebacf85c1f6fa4a48e7a4a5c7283_hijackloader_ryuk
-
Size
102KB
-
MD5
ca74ebacf85c1f6fa4a48e7a4a5c7283
-
SHA1
e57b7320e6ff9484e4311319b98e4f01e7064145
-
SHA256
91ce36c16923ef8cf935a738797c82a2c193d3e05724793d08ba37a5f7f6b808
-
SHA512
f1c28806c046efd618b2daba1582c65ad6d441305d422fd7759f792dc264c7f125adf3788c56150137a30f6232b1d954ff987ae93488b67d2dead39f803af300
-
SSDEEP
1536:50jfW3cpW0PIZ88fCb2tD1cnkgSLsWcgdc9dl0QJhA9Klfx:mjE+/PAsboD1ukD+KU6uq
-
Phorphiex family
-
Phorphiex payload
-
Xmrig family
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1