Analysis
-
max time kernel
53s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 16:25
General
-
Target
a.scr
-
Size
15KB
-
MD5
ba74a7cb5a12d713229105df94a9e418
-
SHA1
c128af146a1f7ed27d702aa6ad7600d7ca3510cb
-
SHA256
1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402
-
SHA512
897c3906884ec1c836831308d023fc06e3b9aa92e8ef0fe8692d66f2965fce45d63eca2a936e5a6672a28fefa4b52ae0812eacfe3b27526509a19d105aba6eee
Malware Config
Extracted
C:\221622968119831\Read_Me.txt
http://25xb3kc6azicbbuo.onion/?DUWYZBCE
http://helpqvrg3cc5mvb3.onion/
Signatures
-
Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Windows security bypass 2 TTPs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 876 IoCs
-
Suspicious behavior: EnumeratesProcesses 802 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.scr"C:\Users\Admin\AppData\Local\Temp\a.scr" /S1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\33137.jpg2⤵
-
C:\Users\Admin\AppData\Local\Temp\21292.exeC:\Users\Admin\AppData\Local\Temp\21292.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\221622968119831\winsvcs.exeC:\221622968119831\winsvcs.exe3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2465529280.exeC:\Users\Admin\AppData\Local\Temp\2465529280.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\221622968119831\winsvcs.exeMD5
c4f7ad9cdb934e4414e2cf58eb0062d1
SHA130268fc11e0ef7e54e219ef0dee3b75734a85c67
SHA2563ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
SHA5125259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38
-
C:\221622968119831\winsvcs.exeMD5
c4f7ad9cdb934e4414e2cf58eb0062d1
SHA130268fc11e0ef7e54e219ef0dee3b75734a85c67
SHA2563ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
SHA5125259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38
-
C:\Users\Admin\AppData\Local\Temp\21292.exeMD5
c4f7ad9cdb934e4414e2cf58eb0062d1
SHA130268fc11e0ef7e54e219ef0dee3b75734a85c67
SHA2563ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
SHA5125259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38
-
C:\Users\Admin\AppData\Local\Temp\21292.exeMD5
c4f7ad9cdb934e4414e2cf58eb0062d1
SHA130268fc11e0ef7e54e219ef0dee3b75734a85c67
SHA2563ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
SHA5125259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38
-
C:\Users\Admin\AppData\Local\Temp\2465529280.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
C:\Users\Admin\AppData\Local\Temp\2465529280.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
memory/576-4-0x0000000000000000-mapping.dmp
-
memory/2072-7-0x0000000000000000-mapping.dmp
-
memory/2072-11-0x0000000004C00000-0x0000000004CC3000-memory.dmpFilesize
780KB
-
memory/2072-26-0x0000000004C00000-0x0000000004CC8000-memory.dmpFilesize
800KB
-
memory/3628-1-0x0000000000000000-mapping.dmp
-
memory/3892-0-0x0000000000000000-mapping.dmp