Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
24fe67e5b75b240e8bc12d76fe5b1e42.exe
Resource
win7v20201028
General
-
Target
24fe67e5b75b240e8bc12d76fe5b1e42.exe
-
Size
34KB
-
MD5
24fe67e5b75b240e8bc12d76fe5b1e42
-
SHA1
f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
-
SHA256
7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
-
SHA512
a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5
Malware Config
Signatures
-
Phorphiex Payload 3 IoCs
Processes:
resource yara_rule \11419251091121\svchost.exe family_phorphiex C:\11419251091121\svchost.exe family_phorphiex C:\11419251091121\svchost.exe family_phorphiex -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 756 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
24fe67e5b75b240e8bc12d76fe5b1e42.exepid process 1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
24fe67e5b75b240e8bc12d76fe5b1e42.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe" 24fe67e5b75b240e8bc12d76fe5b1e42.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe" 24fe67e5b75b240e8bc12d76fe5b1e42.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
24fe67e5b75b240e8bc12d76fe5b1e42.exedescription pid process target process PID 1204 wrote to memory of 756 1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe svchost.exe PID 1204 wrote to memory of 756 1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe svchost.exe PID 1204 wrote to memory of 756 1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe svchost.exe PID 1204 wrote to memory of 756 1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\11419251091121\svchost.exeC:\11419251091121\svchost.exe2⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\11419251091121\svchost.exeMD5
24fe67e5b75b240e8bc12d76fe5b1e42
SHA1f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA2567e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5
-
C:\11419251091121\svchost.exeMD5
24fe67e5b75b240e8bc12d76fe5b1e42
SHA1f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA2567e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5
-
\11419251091121\svchost.exeMD5
24fe67e5b75b240e8bc12d76fe5b1e42
SHA1f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA2567e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5
-
memory/756-4-0x0000000000000000-mapping.dmp
-
memory/1364-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB