Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-02-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
9a50980afb1c6a43cf38872e694bb7db.exe
Resource
win7v20201028
General
-
Target
9a50980afb1c6a43cf38872e694bb7db.exe
-
Size
37KB
-
MD5
9a50980afb1c6a43cf38872e694bb7db
-
SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9
-
SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
-
SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
Malware Config
Signatures
-
Phorphiex Payload 7 IoCs
Processes:
resource yara_rule \13371362720595\svchost.exe family_phorphiex C:\13371362720595\svchost.exe family_phorphiex C:\13371362720595\svchost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\3553427902.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3553427902.exe family_phorphiex \Users\Admin\AppData\Local\Temp\2736435409.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2736435409.exe family_phorphiex -
Executes dropped EXE 5 IoCs
Processes:
svchost.exe3553427902.exe2736435409.exe2852011786.exe1545610586.exepid process 1456 svchost.exe 824 3553427902.exe 1960 2736435409.exe 1676 2852011786.exe 1020 1545610586.exe -
Loads dropped DLL 5 IoCs
Processes:
9a50980afb1c6a43cf38872e694bb7db.exesvchost.exepid process 1096 9a50980afb1c6a43cf38872e694bb7db.exe 1456 svchost.exe 1456 svchost.exe 1456 svchost.exe 1456 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9a50980afb1c6a43cf38872e694bb7db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe" 9a50980afb1c6a43cf38872e694bb7db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe" 9a50980afb1c6a43cf38872e694bb7db.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2852011786.exepid process 1676 2852011786.exe 1676 2852011786.exe 1676 2852011786.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
9a50980afb1c6a43cf38872e694bb7db.exesvchost.exedescription pid process target process PID 1096 wrote to memory of 1456 1096 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 1096 wrote to memory of 1456 1096 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 1096 wrote to memory of 1456 1096 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 1096 wrote to memory of 1456 1096 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 1456 wrote to memory of 824 1456 svchost.exe 3553427902.exe PID 1456 wrote to memory of 824 1456 svchost.exe 3553427902.exe PID 1456 wrote to memory of 824 1456 svchost.exe 3553427902.exe PID 1456 wrote to memory of 824 1456 svchost.exe 3553427902.exe PID 1456 wrote to memory of 1960 1456 svchost.exe 2736435409.exe PID 1456 wrote to memory of 1960 1456 svchost.exe 2736435409.exe PID 1456 wrote to memory of 1960 1456 svchost.exe 2736435409.exe PID 1456 wrote to memory of 1960 1456 svchost.exe 2736435409.exe PID 1456 wrote to memory of 1676 1456 svchost.exe 2852011786.exe PID 1456 wrote to memory of 1676 1456 svchost.exe 2852011786.exe PID 1456 wrote to memory of 1676 1456 svchost.exe 2852011786.exe PID 1456 wrote to memory of 1676 1456 svchost.exe 2852011786.exe PID 1456 wrote to memory of 1020 1456 svchost.exe 1545610586.exe PID 1456 wrote to memory of 1020 1456 svchost.exe 1545610586.exe PID 1456 wrote to memory of 1020 1456 svchost.exe 1545610586.exe PID 1456 wrote to memory of 1020 1456 svchost.exe 1545610586.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\13371362720595\svchost.exeC:\13371362720595\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3553427902.exeC:\Users\Admin\AppData\Local\Temp\3553427902.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2736435409.exeC:\Users\Admin\AppData\Local\Temp\2736435409.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2852011786.exeC:\Users\Admin\AppData\Local\Temp\2852011786.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1545610586.exeC:\Users\Admin\AppData\Local\Temp\1545610586.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\13371362720595\svchost.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\13371362720595\svchost.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\1545610586.exeMD5
959292f2ba7b55140c759ae2f339ea46
SHA195c0465226700d89551d6a6022351890a7a25bd3
SHA256c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457
SHA5129f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343
-
C:\Users\Admin\AppData\Local\Temp\2736435409.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\2852011786.exeMD5
d6a8c17bb74138c72a215b9aa9a8f2ca
SHA1131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75
SHA25624c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf
SHA512e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e
-
C:\Users\Admin\AppData\Local\Temp\3553427902.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
\13371362720595\svchost.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
\Users\Admin\AppData\Local\Temp\1545610586.exeMD5
959292f2ba7b55140c759ae2f339ea46
SHA195c0465226700d89551d6a6022351890a7a25bd3
SHA256c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457
SHA5129f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343
-
\Users\Admin\AppData\Local\Temp\2736435409.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
\Users\Admin\AppData\Local\Temp\2852011786.exeMD5
d6a8c17bb74138c72a215b9aa9a8f2ca
SHA1131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75
SHA25624c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf
SHA512e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e
-
\Users\Admin\AppData\Local\Temp\3553427902.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
memory/824-10-0x0000000000000000-mapping.dmp
-
memory/1020-27-0x0000000000000000-mapping.dmp
-
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1456-5-0x0000000000000000-mapping.dmp
-
memory/1676-20-0x0000000000750000-0x0000000000761000-memory.dmpFilesize
68KB
-
memory/1676-21-0x0000000002080000-0x0000000002091000-memory.dmpFilesize
68KB
-
memory/1676-22-0x0000000000750000-0x0000000000761000-memory.dmpFilesize
68KB
-
memory/1676-18-0x0000000000000000-mapping.dmp
-
memory/1684-3-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmpFilesize
2.5MB
-
memory/1960-14-0x0000000000000000-mapping.dmp