Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
5d91a29ea526e4630883fd17a5e43f9b.exe
Resource
win7v20201028
General
-
Target
5d91a29ea526e4630883fd17a5e43f9b.exe
-
Size
31KB
-
MD5
5d91a29ea526e4630883fd17a5e43f9b
-
SHA1
6615060efc5b5d439a6ac0246d9668c797e98692
-
SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
-
SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
Malware Config
Signatures
-
Phorphiex Payload 5 IoCs
Processes:
resource yara_rule \24903353523906\svchost.exe family_phorphiex C:\24903353523906\svchost.exe family_phorphiex C:\24903353523906\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\2717138293.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2717138293.exe family_phorphiex -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe2717138293.exe1801226722.exepid process 1848 svchost.exe 1516 2717138293.exe 2040 1801226722.exe -
Loads dropped DLL 3 IoCs
Processes:
5d91a29ea526e4630883fd17a5e43f9b.exesvchost.exepid process 2028 5d91a29ea526e4630883fd17a5e43f9b.exe 1848 svchost.exe 1848 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5d91a29ea526e4630883fd17a5e43f9b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\24903353523906\\svchost.exe" 5d91a29ea526e4630883fd17a5e43f9b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\24903353523906\\svchost.exe" 5d91a29ea526e4630883fd17a5e43f9b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 icanhazip.com -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5d91a29ea526e4630883fd17a5e43f9b.exesvchost.exedescription pid process target process PID 2028 wrote to memory of 1848 2028 5d91a29ea526e4630883fd17a5e43f9b.exe svchost.exe PID 2028 wrote to memory of 1848 2028 5d91a29ea526e4630883fd17a5e43f9b.exe svchost.exe PID 2028 wrote to memory of 1848 2028 5d91a29ea526e4630883fd17a5e43f9b.exe svchost.exe PID 2028 wrote to memory of 1848 2028 5d91a29ea526e4630883fd17a5e43f9b.exe svchost.exe PID 1848 wrote to memory of 1516 1848 svchost.exe 2717138293.exe PID 1848 wrote to memory of 1516 1848 svchost.exe 2717138293.exe PID 1848 wrote to memory of 1516 1848 svchost.exe 2717138293.exe PID 1848 wrote to memory of 1516 1848 svchost.exe 2717138293.exe PID 1848 wrote to memory of 2040 1848 svchost.exe 1801226722.exe PID 1848 wrote to memory of 2040 1848 svchost.exe 1801226722.exe PID 1848 wrote to memory of 2040 1848 svchost.exe 1801226722.exe PID 1848 wrote to memory of 2040 1848 svchost.exe 1801226722.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d91a29ea526e4630883fd17a5e43f9b.exe"C:\Users\Admin\AppData\Local\Temp\5d91a29ea526e4630883fd17a5e43f9b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\24903353523906\svchost.exeC:\24903353523906\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2717138293.exeC:\Users\Admin\AppData\Local\Temp\2717138293.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1801226722.exeC:\Users\Admin\AppData\Local\Temp\1801226722.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\24903353523906\svchost.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\24903353523906\svchost.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
C:\Users\Admin\AppData\Local\Temp\1801226722.exeMD5
7f371679986c29befdf61c85c1262008
SHA1f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA2562a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2
-
C:\Users\Admin\AppData\Local\Temp\2717138293.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
\24903353523906\svchost.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
\Users\Admin\AppData\Local\Temp\1801226722.exeMD5
7f371679986c29befdf61c85c1262008
SHA1f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA2562a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2
-
\Users\Admin\AppData\Local\Temp\2717138293.exeMD5
5d91a29ea526e4630883fd17a5e43f9b
SHA16615060efc5b5d439a6ac0246d9668c797e98692
SHA256a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1
-
memory/1516-6-0x0000000000000000-mapping.dmp
-
memory/1848-2-0x0000000000000000-mapping.dmp
-
memory/2004-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/2040-9-0x0000000000000000-mapping.dmp