Analysis

  • max time kernel
    149s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-11-2020 16:25

General

  • Target

    a.scr

  • Size

    15KB

  • MD5

    ba74a7cb5a12d713229105df94a9e418

  • SHA1

    c128af146a1f7ed27d702aa6ad7600d7ca3510cb

  • SHA256

    1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402

  • SHA512

    897c3906884ec1c836831308d023fc06e3b9aa92e8ef0fe8692d66f2965fce45d63eca2a936e5a6672a28fefa4b52ae0812eacfe3b27526509a19d105aba6eee

Malware Config

Signatures

  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a.scr
    "C:\Users\Admin\AppData\Local\Temp\a.scr" /S
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\33427.jpg
      2⤵
        PID:436
      • C:\Users\Admin\AppData\Local\Temp\24857.exe
        C:\Users\Admin\AppData\Local\Temp\24857.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\65971246227968\winsvcs.exe
          C:\65971246227968\winsvcs.exe
          3⤵
          • Executes dropped EXE
          • Windows security modification
          PID:872
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1536

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\65971246227968\winsvcs.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • C:\65971246227968\winsvcs.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • C:\Users\Admin\AppData\Local\Temp\24857.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • C:\Users\Admin\AppData\Local\Temp\24857.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • C:\Users\Admin\AppData\Local\Temp\33427.jpg
      MD5

      a603d35899017876f5cbea46dbf223d4

      SHA1

      bbe3b9dc5ca78b399ae151afc0f03972e710b23b

      SHA256

      2fbfd083e8286b5715afc2b0f0b84dc11d211e18a4bdd3f9b4af6d5a2e833ab4

      SHA512

      14100ee11d31da7dc051600c66e175569ad6026a550fa1167e5ecffee0f84bd6487b65eec45e32ac2e2b9b5bc338a952657187945bab7530896294d6e4cbc78f

    • \65971246227968\winsvcs.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • \Users\Admin\AppData\Local\Temp\24857.exe
      MD5

      c4f7ad9cdb934e4414e2cf58eb0062d1

      SHA1

      30268fc11e0ef7e54e219ef0dee3b75734a85c67

      SHA256

      3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

      SHA512

      5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

    • memory/332-4-0x0000000000000000-mapping.dmp
    • memory/436-1-0x0000000000000000-mapping.dmp
    • memory/872-8-0x0000000000000000-mapping.dmp
    • memory/1752-0-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp
      Filesize

      2.5MB