Overview

overview

10

Static

static

10

twizt.exe

windows7-x64

10

twizt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    twizt.exe

  • Size

    88KB

  • MD5

    4505daf4c08fc8e8e1380911e98588aa

  • SHA1

    d990eb1b2ccbb71c878944be37923b1ebd17bc72

  • SHA256

    a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

  • SHA512

    bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

  • SSDEEP

    1536:yL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:+0poOfP6+JuEjaaKHK

Score
10/10
phorphiexevasionloaderpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Attributes
  • mutex

    55a4er5wo

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\twizt.exe
    "C:\Users\Admin\AppData\Local\Temp\twizt.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Users\Admin\AppData\Local\Temp\2341920438.exe
        C:\Users\Admin\AppData\Local\Temp\2341920438.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Users\Admin\AppData\Local\Temp\1193023664.exe
          C:\Users\Admin\AppData\Local\Temp\1193023664.exe
          4⤵
          • Executes dropped EXE
          PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1193023664.exe
    Filesize

    20KB

    MD5

    5d1f5a6f5f6ea2e560c75673556e10c2

    SHA1

    be03b3d220349f0fc856fd9548ab36cca2fea638

    SHA256

    ff070a8f81124812406aba43a43f2ab2a0f1ca58cdfbff65705c8d1b2fe557b0

    SHA512

    6cda9a5f0fec1e9d8afebc7d126c0ef1d4a2bf01822ee8bc494d060a1ccd9874056af0b812226c7cd895164c96bc9687c028ad6a5b4a5148fb86af2fd8af3121

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2341920438.exe
    Filesize

    10KB

    MD5

    62a359fc04086f9293ce70140e9b72cc

    SHA1

    125c91a4b5248316ed7a262acf936b8b4ab54a9f

    SHA256

    6868e06c295e6335cf8a8d6c5cd56a1e9d9ecc4202b2fed9af2477b1d3f441ad

    SHA512

    2241e3781cf099f2e36a9769602c71ccba1df0029e9b1949d0b35f529bf33b722f3db51739b6c720f7ff9e3d63e59de1815fff3753699bec7e9816eb5c3e6ac2

    Download Submit
  • C:\Windows\sysmablsvr.exe
    Filesize

    88KB

    MD5

    4505daf4c08fc8e8e1380911e98588aa

    SHA1

    d990eb1b2ccbb71c878944be37923b1ebd17bc72

    SHA256

    a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

    SHA512

    bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

    Download Submit