Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
9a50980afb1c6a43cf38872e694bb7db.exe
Resource
win7v20201028
General
-
Target
9a50980afb1c6a43cf38872e694bb7db.exe
-
Size
37KB
-
MD5
9a50980afb1c6a43cf38872e694bb7db
-
SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9
-
SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
-
SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
Malware Config
Signatures
-
Phorphiex Payload 6 IoCs
Processes:
resource yara_rule C:\15889121124699\svchost.exe family_phorphiex C:\15889121124699\svchost.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1504732362.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1504732362.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1544433843.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\1544433843.exe family_phorphiex -
Executes dropped EXE 5 IoCs
Processes:
svchost.exe1504732362.exe1544433843.exe3215326350.exe3511434783.exepid process 3116 svchost.exe 1928 1504732362.exe 2856 1544433843.exe 2060 3215326350.exe 3928 3511434783.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9a50980afb1c6a43cf38872e694bb7db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\15889121124699\\svchost.exe" 9a50980afb1c6a43cf38872e694bb7db.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\15889121124699\\svchost.exe" 9a50980afb1c6a43cf38872e694bb7db.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3215326350.exepid process 2060 3215326350.exe 2060 3215326350.exe 2060 3215326350.exe 2060 3215326350.exe 2060 3215326350.exe 2060 3215326350.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9a50980afb1c6a43cf38872e694bb7db.exesvchost.exedescription pid process target process PID 636 wrote to memory of 3116 636 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 636 wrote to memory of 3116 636 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 636 wrote to memory of 3116 636 9a50980afb1c6a43cf38872e694bb7db.exe svchost.exe PID 3116 wrote to memory of 1928 3116 svchost.exe 1504732362.exe PID 3116 wrote to memory of 1928 3116 svchost.exe 1504732362.exe PID 3116 wrote to memory of 1928 3116 svchost.exe 1504732362.exe PID 3116 wrote to memory of 2856 3116 svchost.exe 1544433843.exe PID 3116 wrote to memory of 2856 3116 svchost.exe 1544433843.exe PID 3116 wrote to memory of 2856 3116 svchost.exe 1544433843.exe PID 3116 wrote to memory of 2060 3116 svchost.exe 3215326350.exe PID 3116 wrote to memory of 2060 3116 svchost.exe 3215326350.exe PID 3116 wrote to memory of 2060 3116 svchost.exe 3215326350.exe PID 3116 wrote to memory of 3928 3116 svchost.exe 3511434783.exe PID 3116 wrote to memory of 3928 3116 svchost.exe 3511434783.exe PID 3116 wrote to memory of 3928 3116 svchost.exe 3511434783.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\15889121124699\svchost.exeC:\15889121124699\svchost.exe2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1504732362.exeC:\Users\Admin\AppData\Local\Temp\1504732362.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1544433843.exeC:\Users\Admin\AppData\Local\Temp\1544433843.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3215326350.exeC:\Users\Admin\AppData\Local\Temp\3215326350.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\3511434783.exeC:\Users\Admin\AppData\Local\Temp\3511434783.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\15889121124699\svchost.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\15889121124699\svchost.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\1504732362.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\1504732362.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\1544433843.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\1544433843.exeMD5
9a50980afb1c6a43cf38872e694bb7db
SHA1237aa3ee8c912e6f8326782b790327562cef8dd9
SHA25678bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8
-
C:\Users\Admin\AppData\Local\Temp\3215326350.exeMD5
d6a8c17bb74138c72a215b9aa9a8f2ca
SHA1131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75
SHA25624c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf
SHA512e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e
-
C:\Users\Admin\AppData\Local\Temp\3215326350.exeMD5
d6a8c17bb74138c72a215b9aa9a8f2ca
SHA1131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75
SHA25624c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf
SHA512e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e
-
C:\Users\Admin\AppData\Local\Temp\3511434783.exeMD5
959292f2ba7b55140c759ae2f339ea46
SHA195c0465226700d89551d6a6022351890a7a25bd3
SHA256c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457
SHA5129f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343
-
C:\Users\Admin\AppData\Local\Temp\3511434783.exeMD5
959292f2ba7b55140c759ae2f339ea46
SHA195c0465226700d89551d6a6022351890a7a25bd3
SHA256c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457
SHA5129f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343
-
memory/1928-5-0x0000000000000000-mapping.dmp
-
memory/2060-11-0x0000000000000000-mapping.dmp
-
memory/2060-14-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/2060-15-0x00000000031E0000-0x00000000031E1000-memory.dmpFilesize
4KB
-
memory/2060-16-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/2856-8-0x0000000000000000-mapping.dmp
-
memory/3116-2-0x0000000000000000-mapping.dmp
-
memory/3928-20-0x0000000000000000-mapping.dmp