Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-11-2020 07:41
Static task
static1
Behavioral task
behavioral1
Sample
371f00c6fdf9ee7012b15d210449b386.exe
Resource
win7v20201028
General
-
Target
371f00c6fdf9ee7012b15d210449b386.exe
-
Size
112KB
-
MD5
371f00c6fdf9ee7012b15d210449b386
-
SHA1
a71705075250ad01e1bf17db23a9dc560803adc1
-
SHA256
e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
-
SHA512
d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df
Malware Config
Signatures
-
Phorphiex Payload 11 IoCs
Processes:
resource yara_rule \25712164312005\svchost.exe family_phorphiex C:\25712164312005\svchost.exe family_phorphiex C:\25712164312005\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\3112410773.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3112410773.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3112410773.exe family_phorphiex \70562832217809\svchost.exe family_phorphiex C:\70562832217809\svchost.exe family_phorphiex C:\70562832217809\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\2310726034.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2310726034.exe family_phorphiex -
Executes dropped EXE 8 IoCs
Processes:
svchost.exe3112410773.exe2151729678.exesvchost.exe2479826907.exe2310726034.exe3423417456.exe2282832923.exepid process 560 svchost.exe 612 3112410773.exe 1892 2151729678.exe 1612 svchost.exe 1744 2479826907.exe 868 2310726034.exe 1108 3423417456.exe 1840 2282832923.exe -
Loads dropped DLL 8 IoCs
Processes:
371f00c6fdf9ee7012b15d210449b386.exesvchost.exe3112410773.exesvchost.exepid process 764 371f00c6fdf9ee7012b15d210449b386.exe 560 svchost.exe 560 svchost.exe 612 3112410773.exe 560 svchost.exe 1612 svchost.exe 1612 svchost.exe 1612 svchost.exe -
Processes:
svchost.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
371f00c6fdf9ee7012b15d210449b386.exe3112410773.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\25712164312005\\svchost.exe" 371f00c6fdf9ee7012b15d210449b386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\70562832217809\\svchost.exe" 3112410773.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\70562832217809\\svchost.exe" 3112410773.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\25712164312005\\svchost.exe" 371f00c6fdf9ee7012b15d210449b386.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
371f00c6fdf9ee7012b15d210449b386.exesvchost.exe3112410773.exesvchost.exedescription pid process target process PID 764 wrote to memory of 560 764 371f00c6fdf9ee7012b15d210449b386.exe svchost.exe PID 764 wrote to memory of 560 764 371f00c6fdf9ee7012b15d210449b386.exe svchost.exe PID 764 wrote to memory of 560 764 371f00c6fdf9ee7012b15d210449b386.exe svchost.exe PID 764 wrote to memory of 560 764 371f00c6fdf9ee7012b15d210449b386.exe svchost.exe PID 560 wrote to memory of 612 560 svchost.exe 3112410773.exe PID 560 wrote to memory of 612 560 svchost.exe 3112410773.exe PID 560 wrote to memory of 612 560 svchost.exe 3112410773.exe PID 560 wrote to memory of 612 560 svchost.exe 3112410773.exe PID 560 wrote to memory of 1892 560 svchost.exe 2151729678.exe PID 560 wrote to memory of 1892 560 svchost.exe 2151729678.exe PID 560 wrote to memory of 1892 560 svchost.exe 2151729678.exe PID 560 wrote to memory of 1892 560 svchost.exe 2151729678.exe PID 612 wrote to memory of 1612 612 3112410773.exe svchost.exe PID 612 wrote to memory of 1612 612 3112410773.exe svchost.exe PID 612 wrote to memory of 1612 612 3112410773.exe svchost.exe PID 612 wrote to memory of 1612 612 3112410773.exe svchost.exe PID 560 wrote to memory of 1744 560 svchost.exe 2479826907.exe PID 560 wrote to memory of 1744 560 svchost.exe 2479826907.exe PID 560 wrote to memory of 1744 560 svchost.exe 2479826907.exe PID 560 wrote to memory of 1744 560 svchost.exe 2479826907.exe PID 1612 wrote to memory of 868 1612 svchost.exe 2310726034.exe PID 1612 wrote to memory of 868 1612 svchost.exe 2310726034.exe PID 1612 wrote to memory of 868 1612 svchost.exe 2310726034.exe PID 1612 wrote to memory of 868 1612 svchost.exe 2310726034.exe PID 1612 wrote to memory of 1108 1612 svchost.exe 3423417456.exe PID 1612 wrote to memory of 1108 1612 svchost.exe 3423417456.exe PID 1612 wrote to memory of 1108 1612 svchost.exe 3423417456.exe PID 1612 wrote to memory of 1108 1612 svchost.exe 3423417456.exe PID 1612 wrote to memory of 1840 1612 svchost.exe 2282832923.exe PID 1612 wrote to memory of 1840 1612 svchost.exe 2282832923.exe PID 1612 wrote to memory of 1840 1612 svchost.exe 2282832923.exe PID 1612 wrote to memory of 1840 1612 svchost.exe 2282832923.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\371f00c6fdf9ee7012b15d210449b386.exe"C:\Users\Admin\AppData\Local\Temp\371f00c6fdf9ee7012b15d210449b386.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\25712164312005\svchost.exeC:\25712164312005\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3112410773.exeC:\Users\Admin\AppData\Local\Temp\3112410773.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\70562832217809\svchost.exeC:\70562832217809\svchost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2310726034.exeC:\Users\Admin\AppData\Local\Temp\2310726034.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3423417456.exeC:\Users\Admin\AppData\Local\Temp\3423417456.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2282832923.exeC:\Users\Admin\AppData\Local\Temp\2282832923.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2151729678.exeC:\Users\Admin\AppData\Local\Temp\2151729678.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2479826907.exeC:\Users\Admin\AppData\Local\Temp\2479826907.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\25712164312005\svchost.exeMD5
371f00c6fdf9ee7012b15d210449b386
SHA1a71705075250ad01e1bf17db23a9dc560803adc1
SHA256e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
SHA512d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df
-
C:\25712164312005\svchost.exeMD5
371f00c6fdf9ee7012b15d210449b386
SHA1a71705075250ad01e1bf17db23a9dc560803adc1
SHA256e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
SHA512d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df
-
C:\70562832217809\svchost.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
C:\70562832217809\svchost.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\1[1]MD5
70092a848d7c9a57e4d9549856e6542e
SHA1941cddd9081003c3688f84d8de3d0e9bb3c511e9
SHA256938f1b1f1067f54a744c9fafc3c1d0dc619ae0ea78689bcd68c1fb96012be3db
SHA5121f01b1605a774871d03d8fc1586eac918f50388519bae24bda25dc7867da1428d54585f3a1e6c963dceccae4308190d0400354519d568176a297aa6ed4e44d8e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\3[1]MD5
20bbe0afb4f7377cd875c4c57e9e5195
SHA14b417faf232cd2e73f29f02fe0e4ed3d3824ec3f
SHA2567f950509b4c4417b9d8a02fc99d9de5262600536da05edacf9daf3fc78fc2805
SHA512490224e54ec94a13d3bb5762daa35e21f82d9ea76af823fb883597e4601923da5e9095abf207f67c4782fa6f1ba424e3f6f70e36ffe893611782d958995df32c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMGUDWI7\2[1]MD5
2a844974f61e572cc93cebf83bb5a909
SHA16a1bf621865fbb3dd066ba96a3173c7c95e0e6d3
SHA2564858a706a55afeec714ed243c32ba4ac78ecf85fbc064b28222b055b0f1417ec
SHA512d2b98148d54e4980ced9e3cd09fa6ae09fb86dfb1d106222feddb580d415f7aeefd882e074837c0352b063e077d33068335fcb85ed80a8e7fff5e57da03383db
-
C:\Users\Admin\AppData\Local\Temp\2151729678.exeMD5
15d07920fe0d8d6012912504f4437628
SHA130f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a
-
C:\Users\Admin\AppData\Local\Temp\2282832923.exeMD5
3f1db3dc8315d4b551241a5d1060119d
SHA1de30f3fb88794d03c5f612e2f051aabd670dff88
SHA25674cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a
-
C:\Users\Admin\AppData\Local\Temp\2310726034.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
C:\Users\Admin\AppData\Local\Temp\2479826907.exeMD5
3f1db3dc8315d4b551241a5d1060119d
SHA1de30f3fb88794d03c5f612e2f051aabd670dff88
SHA25674cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a
-
C:\Users\Admin\AppData\Local\Temp\3112410773.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
C:\Users\Admin\AppData\Local\Temp\3112410773.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
C:\Users\Admin\AppData\Local\Temp\3423417456.exeMD5
15d07920fe0d8d6012912504f4437628
SHA130f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a
-
\25712164312005\svchost.exeMD5
371f00c6fdf9ee7012b15d210449b386
SHA1a71705075250ad01e1bf17db23a9dc560803adc1
SHA256e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
SHA512d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df
-
\70562832217809\svchost.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
\Users\Admin\AppData\Local\Temp\2151729678.exeMD5
15d07920fe0d8d6012912504f4437628
SHA130f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a
-
\Users\Admin\AppData\Local\Temp\2282832923.exeMD5
3f1db3dc8315d4b551241a5d1060119d
SHA1de30f3fb88794d03c5f612e2f051aabd670dff88
SHA25674cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a
-
\Users\Admin\AppData\Local\Temp\2310726034.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
\Users\Admin\AppData\Local\Temp\2479826907.exeMD5
3f1db3dc8315d4b551241a5d1060119d
SHA1de30f3fb88794d03c5f612e2f051aabd670dff88
SHA25674cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a
-
\Users\Admin\AppData\Local\Temp\3112410773.exeMD5
bf7d90121ee4f2922825193f362e27bf
SHA14939fbdc006f05b783c1d6d24947a2970cfcd70f
SHA25611c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964
SHA512721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039
-
\Users\Admin\AppData\Local\Temp\3423417456.exeMD5
15d07920fe0d8d6012912504f4437628
SHA130f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a
-
memory/560-2-0x0000000000000000-mapping.dmp
-
memory/612-6-0x0000000000000000-mapping.dmp
-
memory/632-0-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmpFilesize
2.5MB
-
memory/868-21-0x0000000000000000-mapping.dmp
-
memory/1108-25-0x0000000000000000-mapping.dmp
-
memory/1612-13-0x0000000000000000-mapping.dmp
-
memory/1744-16-0x0000000000000000-mapping.dmp
-
memory/1840-29-0x0000000000000000-mapping.dmp
-
memory/1892-9-0x0000000000000000-mapping.dmp