Analysis

  • max time kernel
    120s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03/11/2020, 23:11

General

  • Target

    Photo-125-137.jpg.scr

Malware Config

Extracted

Path

C:\4281278655928\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?NDSIYNDS 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://25xb3kc6azicbbuo.onion/?NDSIYNDS

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 41 IoCs
  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Program Files directory 12061 IoCs
  • Drops file in Windows directory 14 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 4554 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 144 IoCs
  • Suspicious use of FindShellTrayWindow 66 IoCs
  • Suspicious use of SendNotifyMessage 69 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr
    "C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr" /S
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\25547.jpg
      2⤵
        PID:564
      • C:\Users\Admin\AppData\Local\Temp\17078.exe
        C:\Users\Admin\AppData\Local\Temp\17078.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\4281278655928\winsvcs.exe
          C:\4281278655928\winsvcs.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Users\Admin\AppData\Local\Temp\3697516955.exe
            C:\Users\Admin\AppData\Local\Temp\3697516955.exe
            4⤵
            • Executes dropped EXE
            • Modifies extensions of user files
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: RenamesItself
            PID:1568
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1088
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1504
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x480
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1527246EA7059FADA727A3AA7132495E
        2⤵
        • Loads dropped DLL
        PID:1872
      • C:\Windows\system32\MsiExec.exe
        C:\Windows\system32\MsiExec.exe -Embedding 2EDE0356D3DBB64E16A0314313F8C7D4
        2⤵
        • Loads dropped DLL
        PID:1532
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies service
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1592
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies service
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:364

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/364-159-0x0000000004090000-0x0000000004091000-memory.dmp

      Filesize

      4KB

    • memory/1292-35-0x0000000001030000-0x0000000001034000-memory.dmp

      Filesize

      16KB

    • memory/1292-49-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-40-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-55-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-37-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-36-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-101-0x0000000002A80000-0x0000000002A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-84-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-99-0x0000000002280000-0x0000000002284000-memory.dmp

      Filesize

      16KB

    • memory/1292-98-0x0000000002280000-0x0000000002284000-memory.dmp

      Filesize

      16KB

    • memory/1292-83-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1292-85-0x0000000000A80000-0x0000000000A84000-memory.dmp

      Filesize

      16KB

    • memory/1504-20-0x00000000050D0000-0x00000000050D4000-memory.dmp

      Filesize

      16KB

    • memory/1504-21-0x00000000067C0000-0x00000000067C4000-memory.dmp

      Filesize

      16KB

    • memory/1504-19-0x00000000067C0000-0x00000000067C4000-memory.dmp

      Filesize

      16KB

    • memory/1592-25-0x00000000039C0000-0x00000000039C1000-memory.dmp

      Filesize

      4KB

    • memory/1592-31-0x0000000005DA0000-0x0000000005DA4000-memory.dmp

      Filesize

      16KB

    • memory/1592-32-0x00000000046B0000-0x00000000046B4000-memory.dmp

      Filesize

      16KB

    • memory/1656-0-0x000007FEF7080000-0x000007FEF72FA000-memory.dmp

      Filesize

      2.5MB