Downloads.rar

General
Target

good.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
10 /10
Malware Config
Signatures 8

Filter: none

Defense Evasion
Persistence
  • Phorphiex Worm

    Description

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • Executes dropped EXE
    wcfgmgr32.exe

    Reported IOCs

    pidprocess
    3264wcfgmgr32.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral28/files/0x000100000001ab87-3.datupx
    behavioral28/files/0x000100000001ab87-2.datupx
  • Windows security modification
    wcfgmgr32.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"wcfgmgr32.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"wcfgmgr32.exe
  • Adds Run key to start application
    good.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe"good.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe"good.exe
  • Drops file in Windows directory
    good.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\3049586940303040\wcfgmgr32.exegood.exe
    File opened for modificationC:\Windows\3049586940303040\wcfgmgr32.exegood.exe
    File opened for modificationC:\Windows\3049586940303040good.exe
  • Suspicious use of WriteProcessMemory
    good.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3004 wrote to memory of 32643004good.exewcfgmgr32.exe
    PID 3004 wrote to memory of 32643004good.exewcfgmgr32.exe
    PID 3004 wrote to memory of 32643004good.exewcfgmgr32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\good.exe
    "C:\Users\Admin\AppData\Local\Temp\good.exe"
    Adds Run key to start application
    Drops file in Windows directory
    Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\3049586940303040\wcfgmgr32.exe
      C:\Windows\3049586940303040\wcfgmgr32.exe
      Executes dropped EXE
      Windows security modification
      PID:3264
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Windows\3049586940303040\wcfgmgr32.exe

                        MD5

                        b034e2a7cd76b757b7c62ce514b378b4

                        SHA1

                        27d15f36cb5e3338a19a7f6441ece58439f830f2

                        SHA256

                        90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

                        SHA512

                        1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

                      • C:\Windows\3049586940303040\wcfgmgr32.exe

                        MD5

                        b034e2a7cd76b757b7c62ce514b378b4

                        SHA1

                        27d15f36cb5e3338a19a7f6441ece58439f830f2

                        SHA256

                        90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac

                        SHA512

                        1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

                      • memory/3004-0-0x0000000002F31000-0x0000000002F35000-memory.dmp

                      • memory/3264-1-0x0000000000000000-mapping.dmp

                      • memory/3264-4-0x0000000002EE1000-0x0000000002EE5000-memory.dmp