Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 09:32
Static task
static1
Behavioral task
behavioral1
Sample
10941585e933119c70b14961e91acc82.exe
Resource
win7v20201028
General
-
Target
10941585e933119c70b14961e91acc82.exe
-
Size
31KB
-
MD5
10941585e933119c70b14961e91acc82
-
SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e
-
SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
-
SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
Malware Config
Signatures
-
Phorphiex Payload 5 IoCs
Processes:
resource yara_rule \1326261419625\svchost.exe family_phorphiex C:\1326261419625\svchost.exe family_phorphiex C:\1326261419625\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\1540428975.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1540428975.exe family_phorphiex -
Executes dropped EXE 5 IoCs
Processes:
svchost.exe1540428975.exe1252817773.exe2908718115.exe3640435775.exepid process 1136 svchost.exe 852 1540428975.exe 1312 1252817773.exe 1384 2908718115.exe 240 3640435775.exe -
Loads dropped DLL 5 IoCs
Processes:
10941585e933119c70b14961e91acc82.exesvchost.exepid process 2028 10941585e933119c70b14961e91acc82.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe 1136 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
10941585e933119c70b14961e91acc82.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe" 10941585e933119c70b14961e91acc82.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe" 10941585e933119c70b14961e91acc82.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 icanhazip.com -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
10941585e933119c70b14961e91acc82.exesvchost.exedescription pid process target process PID 2028 wrote to memory of 1136 2028 10941585e933119c70b14961e91acc82.exe svchost.exe PID 2028 wrote to memory of 1136 2028 10941585e933119c70b14961e91acc82.exe svchost.exe PID 2028 wrote to memory of 1136 2028 10941585e933119c70b14961e91acc82.exe svchost.exe PID 2028 wrote to memory of 1136 2028 10941585e933119c70b14961e91acc82.exe svchost.exe PID 1136 wrote to memory of 852 1136 svchost.exe 1540428975.exe PID 1136 wrote to memory of 852 1136 svchost.exe 1540428975.exe PID 1136 wrote to memory of 852 1136 svchost.exe 1540428975.exe PID 1136 wrote to memory of 852 1136 svchost.exe 1540428975.exe PID 1136 wrote to memory of 1312 1136 svchost.exe 1252817773.exe PID 1136 wrote to memory of 1312 1136 svchost.exe 1252817773.exe PID 1136 wrote to memory of 1312 1136 svchost.exe 1252817773.exe PID 1136 wrote to memory of 1312 1136 svchost.exe 1252817773.exe PID 1136 wrote to memory of 1384 1136 svchost.exe 2908718115.exe PID 1136 wrote to memory of 1384 1136 svchost.exe 2908718115.exe PID 1136 wrote to memory of 1384 1136 svchost.exe 2908718115.exe PID 1136 wrote to memory of 1384 1136 svchost.exe 2908718115.exe PID 1136 wrote to memory of 240 1136 svchost.exe 3640435775.exe PID 1136 wrote to memory of 240 1136 svchost.exe 3640435775.exe PID 1136 wrote to memory of 240 1136 svchost.exe 3640435775.exe PID 1136 wrote to memory of 240 1136 svchost.exe 3640435775.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\1326261419625\svchost.exeC:\1326261419625\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1540428975.exeC:\Users\Admin\AppData\Local\Temp\1540428975.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1252817773.exeC:\Users\Admin\AppData\Local\Temp\1252817773.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2908718115.exeC:\Users\Admin\AppData\Local\Temp\2908718115.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3640435775.exeC:\Users\Admin\AppData\Local\Temp\3640435775.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1326261419625\svchost.exeMD5
10941585e933119c70b14961e91acc82
SHA1e629db65702a4d84c9313c2918f5851bdb14b49e
SHA25638637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA5128f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
-
C:\1326261419625\svchost.exeMD5
10941585e933119c70b14961e91acc82
SHA1e629db65702a4d84c9313c2918f5851bdb14b49e
SHA25638637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA5128f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
-
C:\Users\Admin\AppData\Local\Temp\1252817773.exeMD5
4a61038c4d176da1c3c522b57be2fe55
SHA13f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA2569b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA51276b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31
-
C:\Users\Admin\AppData\Local\Temp\1540428975.exeMD5
10941585e933119c70b14961e91acc82
SHA1e629db65702a4d84c9313c2918f5851bdb14b49e
SHA25638637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA5128f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
-
C:\Users\Admin\AppData\Local\Temp\2908718115.exeMD5
7f371679986c29befdf61c85c1262008
SHA1f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA2562a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2
-
C:\Users\Admin\AppData\Local\Temp\3640435775.exeMD5
f6e97a60aeb12d0cda2e80d9a2f81186
SHA19231abff318430e87b375ad12d2b4056ee8dfe50
SHA256b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec
SHA512ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1
-
\1326261419625\svchost.exeMD5
10941585e933119c70b14961e91acc82
SHA1e629db65702a4d84c9313c2918f5851bdb14b49e
SHA25638637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA5128f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
-
\Users\Admin\AppData\Local\Temp\1252817773.exeMD5
4a61038c4d176da1c3c522b57be2fe55
SHA13f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA2569b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA51276b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31
-
\Users\Admin\AppData\Local\Temp\1540428975.exeMD5
10941585e933119c70b14961e91acc82
SHA1e629db65702a4d84c9313c2918f5851bdb14b49e
SHA25638637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA5128f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450
-
\Users\Admin\AppData\Local\Temp\2908718115.exeMD5
7f371679986c29befdf61c85c1262008
SHA1f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA2562a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2
-
\Users\Admin\AppData\Local\Temp\3640435775.exeMD5
f6e97a60aeb12d0cda2e80d9a2f81186
SHA19231abff318430e87b375ad12d2b4056ee8dfe50
SHA256b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec
SHA512ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1
-
memory/240-15-0x0000000000000000-mapping.dmp
-
memory/852-6-0x0000000000000000-mapping.dmp
-
memory/1096-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/1136-2-0x0000000000000000-mapping.dmp
-
memory/1312-9-0x0000000000000000-mapping.dmp
-
memory/1384-12-0x0000000000000000-mapping.dmp