Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-02-2021 14:19
Static task
static1
Behavioral task
behavioral1
Sample
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
Resource
win7v20201028
General
-
Target
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
-
Size
35KB
-
MD5
1270d03503499a3dc08a3d959ded61f5
-
SHA1
965b86352f0a5aea6969be8466e5318a0152b32a
-
SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
-
SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
Malware Config
Signatures
-
Phorphiex Payload 7 IoCs
Processes:
resource yara_rule \359674776178\svchost.exe family_phorphiex C:\359674776178\svchost.exe family_phorphiex C:\359674776178\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\1579213740.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1579213740.exe family_phorphiex \Users\Admin\AppData\Local\Temp\3085222049.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3085222049.exe family_phorphiex -
Executes dropped EXE 4 IoCs
Processes:
svchost.exe1579213740.exe3085222049.exe3765338565.exepid process 396 svchost.exe 916 1579213740.exe 1916 3085222049.exe 1308 3765338565.exe -
Loads dropped DLL 4 IoCs
Processes:
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exesvchost.exepid process 1832 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\359674776178\\svchost.exe" 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\359674776178\\svchost.exe" 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3765338565.exepid process 1308 3765338565.exe 1308 3765338565.exe 1308 3765338565.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exesvchost.exedescription pid process target process PID 1832 wrote to memory of 396 1832 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 1832 wrote to memory of 396 1832 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 1832 wrote to memory of 396 1832 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 1832 wrote to memory of 396 1832 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 396 wrote to memory of 916 396 svchost.exe 1579213740.exe PID 396 wrote to memory of 916 396 svchost.exe 1579213740.exe PID 396 wrote to memory of 916 396 svchost.exe 1579213740.exe PID 396 wrote to memory of 916 396 svchost.exe 1579213740.exe PID 396 wrote to memory of 1916 396 svchost.exe 3085222049.exe PID 396 wrote to memory of 1916 396 svchost.exe 3085222049.exe PID 396 wrote to memory of 1916 396 svchost.exe 3085222049.exe PID 396 wrote to memory of 1916 396 svchost.exe 3085222049.exe PID 396 wrote to memory of 1308 396 svchost.exe 3765338565.exe PID 396 wrote to memory of 1308 396 svchost.exe 3765338565.exe PID 396 wrote to memory of 1308 396 svchost.exe 3765338565.exe PID 396 wrote to memory of 1308 396 svchost.exe 3765338565.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe"C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\359674776178\svchost.exeC:\359674776178\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1579213740.exeC:\Users\Admin\AppData\Local\Temp\1579213740.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3085222049.exeC:\Users\Admin\AppData\Local\Temp\3085222049.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3765338565.exeC:\Users\Admin\AppData\Local\Temp\3765338565.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\359674776178\svchost.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
C:\359674776178\svchost.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
C:\Users\Admin\AppData\Local\Temp\1579213740.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
C:\Users\Admin\AppData\Local\Temp\3085222049.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
C:\Users\Admin\AppData\Local\Temp\3765338565.exeMD5
8878c92a4904f6a5ee5afe2b76f86dc3
SHA10aad86be67dfe4a80020255ae85314d57ab1690b
SHA2569eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9
SHA51219453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49
-
\359674776178\svchost.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
\Users\Admin\AppData\Local\Temp\1579213740.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
\Users\Admin\AppData\Local\Temp\3085222049.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
\Users\Admin\AppData\Local\Temp\3765338565.exeMD5
8878c92a4904f6a5ee5afe2b76f86dc3
SHA10aad86be67dfe4a80020255ae85314d57ab1690b
SHA2569eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9
SHA51219453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49
-
memory/396-5-0x0000000000000000-mapping.dmp
-
memory/792-3-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/916-10-0x0000000000000000-mapping.dmp
-
memory/1308-18-0x0000000000000000-mapping.dmp
-
memory/1308-21-0x0000000001FC0000-0x0000000001FD1000-memory.dmpFilesize
68KB
-
memory/1308-20-0x0000000001BB0000-0x0000000001BC1000-memory.dmpFilesize
68KB
-
memory/1308-22-0x0000000001BB0000-0x0000000001BC1000-memory.dmpFilesize
68KB
-
memory/1832-2-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1916-14-0x0000000000000000-mapping.dmp