Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 08:57
Static task
static1
Behavioral task
behavioral1
Sample
f4d7d721f68bc9a80aaf53bc184a3c58.exe
Resource
win7v20201028
General
-
Target
f4d7d721f68bc9a80aaf53bc184a3c58.exe
-
Size
35KB
-
MD5
f4d7d721f68bc9a80aaf53bc184a3c58
-
SHA1
9e8a43f4c8d4c84a96496c5805835cd383a664fb
-
SHA256
7fff83cae8e0c8848bfdef443f51b5caea1474814c5d1691f0ccf0f3bcd7392a
-
SHA512
30cf8a555438b35a829471a59f5d5a5e85d65c83f2982cb78b7e6a48e55ad19a082011fce392a3d52090f5b0c447ee415097fe11cec9b83cc59229bd55069833
Malware Config
Signatures
-
Phorphiex Payload 3 IoCs
Processes:
resource yara_rule \17068261879048\svchost.exe family_phorphiex C:\17068261879048\svchost.exe family_phorphiex C:\17068261879048\svchost.exe family_phorphiex -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 928 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
f4d7d721f68bc9a80aaf53bc184a3c58.exepid process 1204 f4d7d721f68bc9a80aaf53bc184a3c58.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f4d7d721f68bc9a80aaf53bc184a3c58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\17068261879048\\svchost.exe" f4d7d721f68bc9a80aaf53bc184a3c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\17068261879048\\svchost.exe" f4d7d721f68bc9a80aaf53bc184a3c58.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f4d7d721f68bc9a80aaf53bc184a3c58.exedescription pid process target process PID 1204 wrote to memory of 928 1204 f4d7d721f68bc9a80aaf53bc184a3c58.exe svchost.exe PID 1204 wrote to memory of 928 1204 f4d7d721f68bc9a80aaf53bc184a3c58.exe svchost.exe PID 1204 wrote to memory of 928 1204 f4d7d721f68bc9a80aaf53bc184a3c58.exe svchost.exe PID 1204 wrote to memory of 928 1204 f4d7d721f68bc9a80aaf53bc184a3c58.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4d7d721f68bc9a80aaf53bc184a3c58.exe"C:\Users\Admin\AppData\Local\Temp\f4d7d721f68bc9a80aaf53bc184a3c58.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\17068261879048\svchost.exeC:\17068261879048\svchost.exe2⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\17068261879048\svchost.exeMD5
f4d7d721f68bc9a80aaf53bc184a3c58
SHA19e8a43f4c8d4c84a96496c5805835cd383a664fb
SHA2567fff83cae8e0c8848bfdef443f51b5caea1474814c5d1691f0ccf0f3bcd7392a
SHA51230cf8a555438b35a829471a59f5d5a5e85d65c83f2982cb78b7e6a48e55ad19a082011fce392a3d52090f5b0c447ee415097fe11cec9b83cc59229bd55069833
-
C:\17068261879048\svchost.exeMD5
f4d7d721f68bc9a80aaf53bc184a3c58
SHA19e8a43f4c8d4c84a96496c5805835cd383a664fb
SHA2567fff83cae8e0c8848bfdef443f51b5caea1474814c5d1691f0ccf0f3bcd7392a
SHA51230cf8a555438b35a829471a59f5d5a5e85d65c83f2982cb78b7e6a48e55ad19a082011fce392a3d52090f5b0c447ee415097fe11cec9b83cc59229bd55069833
-
\17068261879048\svchost.exeMD5
f4d7d721f68bc9a80aaf53bc184a3c58
SHA19e8a43f4c8d4c84a96496c5805835cd383a664fb
SHA2567fff83cae8e0c8848bfdef443f51b5caea1474814c5d1691f0ccf0f3bcd7392a
SHA51230cf8a555438b35a829471a59f5d5a5e85d65c83f2982cb78b7e6a48e55ad19a082011fce392a3d52090f5b0c447ee415097fe11cec9b83cc59229bd55069833
-
memory/928-4-0x0000000000000000-mapping.dmp
-
memory/1468-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB