Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:02
Static task
static1
Behavioral task
behavioral1
Sample
a1e6dc9922fbe045c11f087b67d4ea05.exe
Resource
win7v20201028
General
-
Target
a1e6dc9922fbe045c11f087b67d4ea05.exe
-
Size
1.0MB
-
MD5
6d99bee371359b0d520b4aa4e4a7ff03
-
SHA1
3ed8c8dbe6f962371aa27fa2faee30018789ae76
-
SHA256
77e500161161d047b1fc9dcba58f3422ad838b99b5c318972d33390be6d1d69c
-
SHA512
1ccebe7f12e81092e20a504d59dc86bc824e1b749637b6f1319a2769ac6e65b9cd1c45addd0097ea7593448c7a1020d9a96455d09e09aa5987667ef28944e4c1
Malware Config
Signatures
-
Phorphiex Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3137.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3137.exe family_phorphiex C:\246802638711127\svchost.exe family_phorphiex C:\246802638711127\svchost.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3558124404.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3558124404.exe family_phorphiex -
Executes dropped EXE 4 IoCs
Processes:
3137.exesvchost.exe3558124404.exe2786914762.exepid process 4052 3137.exe 3556 svchost.exe 2892 3558124404.exe 3492 2786914762.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3137.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\246802638711127\\svchost.exe" 3137.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\246802638711127\\svchost.exe" 3137.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 icanhazip.com -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a1e6dc9922fbe045c11f087b67d4ea05.exepid process 3408 a1e6dc9922fbe045c11f087b67d4ea05.exe 3408 a1e6dc9922fbe045c11f087b67d4ea05.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a1e6dc9922fbe045c11f087b67d4ea05.exe3137.exesvchost.exedescription pid process target process PID 3408 wrote to memory of 4052 3408 a1e6dc9922fbe045c11f087b67d4ea05.exe 3137.exe PID 3408 wrote to memory of 4052 3408 a1e6dc9922fbe045c11f087b67d4ea05.exe 3137.exe PID 3408 wrote to memory of 4052 3408 a1e6dc9922fbe045c11f087b67d4ea05.exe 3137.exe PID 4052 wrote to memory of 3556 4052 3137.exe svchost.exe PID 4052 wrote to memory of 3556 4052 3137.exe svchost.exe PID 4052 wrote to memory of 3556 4052 3137.exe svchost.exe PID 3556 wrote to memory of 2892 3556 svchost.exe 3558124404.exe PID 3556 wrote to memory of 2892 3556 svchost.exe 3558124404.exe PID 3556 wrote to memory of 2892 3556 svchost.exe 3558124404.exe PID 3556 wrote to memory of 3492 3556 svchost.exe 2786914762.exe PID 3556 wrote to memory of 3492 3556 svchost.exe 2786914762.exe PID 3556 wrote to memory of 3492 3556 svchost.exe 2786914762.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e6dc9922fbe045c11f087b67d4ea05.exe"C:\Users\Admin\AppData\Local\Temp\a1e6dc9922fbe045c11f087b67d4ea05.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3137.exe"C:\Users\Admin\AppData\Local\Temp\3137.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\246802638711127\svchost.exeC:\246802638711127\svchost.exe3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3558124404.exeC:\Users\Admin\AppData\Local\Temp\3558124404.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2786914762.exeC:\Users\Admin\AppData\Local\Temp\2786914762.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\246802638711127\svchost.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\246802638711127\svchost.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\Users\Admin\AppData\Local\Temp\2786914762.exeMD5
2570503fbcafeb4a7f604b07dba14243
SHA1d18687aca98f337096b45682fcc106226e3ec63b
SHA25618c190d097c5d1c77e7f309f0339b95d67620cb4711237b40bdfeb71b082a64f
SHA512b142ce01545a715efe3aab52609fe806c318fbc138ac4dc4a29304212da0e1a2d31f5a9b50c670db9712983ce31e3788475bd4ac959c0f05a32a2391efa6b1cd
-
C:\Users\Admin\AppData\Local\Temp\2786914762.exeMD5
2570503fbcafeb4a7f604b07dba14243
SHA1d18687aca98f337096b45682fcc106226e3ec63b
SHA25618c190d097c5d1c77e7f309f0339b95d67620cb4711237b40bdfeb71b082a64f
SHA512b142ce01545a715efe3aab52609fe806c318fbc138ac4dc4a29304212da0e1a2d31f5a9b50c670db9712983ce31e3788475bd4ac959c0f05a32a2391efa6b1cd
-
C:\Users\Admin\AppData\Local\Temp\3137.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\Users\Admin\AppData\Local\Temp\3137.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\Users\Admin\AppData\Local\Temp\3558124404.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\Users\Admin\AppData\Local\Temp\3558124404.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
memory/2892-6-0x0000000000000000-mapping.dmp
-
memory/3492-9-0x0000000000000000-mapping.dmp
-
memory/3556-3-0x0000000000000000-mapping.dmp
-
memory/4052-0-0x0000000000000000-mapping.dmp