File name:

Phoenix.exe

Full analysis: https://app.any.run/tasks/d37d2e81-2e30-4514-9513-e216fe7f4ec7
Verdict: Malicious activity
Analysis date: January 20, 2024, 23:15:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E056732708932298E6CA11194FCB7CED

SHA1:

B8E89A5EEF747DF459697BD0ED33680967310AD9

SHA256:

CDC44464EB15E5903283DE24E314AA1917D0B4850E584ECB800B211E4A0C1EE8

SSDEEP:

98304:kirlD4j8a+7NrIN3/W23WK4c1d21PXahLdGSoBejCWy8f3SuEK52z1OYA77bWJsS:Y5Ww+GHlbxFJuqlDy52u0z6e0c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Phoenix.exe (PID: 116)

    • Actions looks like stealing of personal data

      • Phoenix.exe (PID: 116)

  • SUSPICIOUS

    • Reads the BIOS version

      • Phoenix.exe (PID: 116)

    • Executable content was dropped or overwritten

      • Phoenix.exe (PID: 116)

    • Checks Windows Trust Settings

      • Phoenix.exe (PID: 116)

    • Reads settings of System Certificates

      • Phoenix.exe (PID: 116)

    • Reads the Internet Settings

      • Phoenix.exe (PID: 116)
      • WMIC.exe (PID: 2016)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Phoenix.exe (PID: 116)

    • Reads security settings of Internet Explorer

      • Phoenix.exe (PID: 116)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 2016)

    • Reads browser cookies

      • Phoenix.exe (PID: 116)

  • INFO

    • Checks supported languages

      • Phoenix.exe (PID: 116)

    • Reads the computer name

      • Phoenix.exe (PID: 116)

    • Reads the machine GUID from the registry

      • Phoenix.exe (PID: 116)

    • Reads Environment values

      • Phoenix.exe (PID: 116)

    • Create files in a temporary directory

      • Phoenix.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:07:03 18:33:38+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 13135360
InitializedDataSize: 13263872
UninitializedDataSize: -
EntryPoint: 0xc88cb2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Phoenix
FileVersion: 1.0.0.0
InternalName: Phoenix.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Phoenix.exe
ProductName: Phoenix
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start phoenix.exe wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\Phoenix.exe" C:\Users\admin\AppData\Local\Temp\Phoenix.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Phoenix
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\phoenix.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2016"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exePhoenix.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
4 590
Read events
4 576
Write events
14
Delete events
0

Modification events

(PID) Process:(116) Phoenix.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
116Phoenix.exeC:\Users\admin\AppData\Local\Temp\Cab395.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
116Phoenix.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
116Phoenix.exeC:\Users\admin\AppData\Local\Temp\3de7f15d-1078-4c32-9768-d029f5730b06\Phoenix.dllexecutable
MD5:1E275530F75EC0222AD0A49117819936
SHA256:D8519A2A1F40BAEB1EE2E6EB1ACA27745E5DCAB7C046D65B27246E24AF57D2BB
116Phoenix.exeC:\Users\admin\AppData\Local\Temp\Tar396.tmpbinary
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
116Phoenix.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:173E4764F75C58E30DA092EDCE7CB0C2
SHA256:294880B7F114CA8509F55EBED77E24FE6180ABABB3DCAEB91B86C559E7ECE7E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
116
Phoenix.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?67c7103e6bf462aa
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
116
Phoenix.exe
37.187.156.46:443
phoenix.5v.pl
OVH SAS
FR
unknown
116
Phoenix.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
phoenix.5v.pl
  • 37.187.156.46
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Phoenix.exe