Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-03-2021 04:24
Static task
static1
Behavioral task
behavioral1
Sample
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
Resource
win7v20201028
General
-
Target
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
-
Size
32KB
-
MD5
f7af1a6fb7947ef70c27da2377c0f80a
-
SHA1
fe64c65af081e168399ecc7d804a3a5d76ccd6d8
-
SHA256
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292
-
SHA512
abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef
Malware Config
Signatures
-
Phorphiex Payload 9 IoCs
Processes:
resource yara_rule \28681921021105\sihost.exe family_phorphiex C:\28681921021105\sihost.exe family_phorphiex C:\28681921021105\sihost.exe family_phorphiex \Users\Admin\AppData\Local\Temp\2007632652.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2007632652.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2007632652.exe family_phorphiex \224932101319066\spoolsv.exe family_phorphiex C:\224932101319066\spoolsv.exe family_phorphiex C:\224932101319066\spoolsv.exe family_phorphiex -
Executes dropped EXE 3 IoCs
Processes:
sihost.exe2007632652.exespoolsv.exepid process 592 sihost.exe 1924 2007632652.exe 1384 spoolsv.exe -
Loads dropped DLL 3 IoCs
Processes:
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exesihost.exe2007632652.exepid process 1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe 592 sihost.exe 1924 2007632652.exe -
Processes:
sihost.exespoolsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe2007632652.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28681921021105\\sihost.exe" d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28681921021105\\sihost.exe" d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\224932101319066\\spoolsv.exe" 2007632652.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\224932101319066\\spoolsv.exe" 2007632652.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exesihost.exe2007632652.exedescription pid process target process PID 1732 wrote to memory of 592 1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe sihost.exe PID 1732 wrote to memory of 592 1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe sihost.exe PID 1732 wrote to memory of 592 1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe sihost.exe PID 1732 wrote to memory of 592 1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe sihost.exe PID 592 wrote to memory of 1924 592 sihost.exe 2007632652.exe PID 592 wrote to memory of 1924 592 sihost.exe 2007632652.exe PID 592 wrote to memory of 1924 592 sihost.exe 2007632652.exe PID 592 wrote to memory of 1924 592 sihost.exe 2007632652.exe PID 1924 wrote to memory of 1384 1924 2007632652.exe spoolsv.exe PID 1924 wrote to memory of 1384 1924 2007632652.exe spoolsv.exe PID 1924 wrote to memory of 1384 1924 2007632652.exe spoolsv.exe PID 1924 wrote to memory of 1384 1924 2007632652.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe"C:\Users\Admin\AppData\Local\Temp\d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\28681921021105\sihost.exeC:\28681921021105\sihost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2007632652.exeC:\Users\Admin\AppData\Local\Temp\2007632652.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\224932101319066\spoolsv.exeC:\224932101319066\spoolsv.exe4⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\224932101319066\spoolsv.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
C:\224932101319066\spoolsv.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
C:\28681921021105\sihost.exeMD5
f7af1a6fb7947ef70c27da2377c0f80a
SHA1fe64c65af081e168399ecc7d804a3a5d76ccd6d8
SHA256d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292
SHA512abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef
-
C:\28681921021105\sihost.exeMD5
f7af1a6fb7947ef70c27da2377c0f80a
SHA1fe64c65af081e168399ecc7d804a3a5d76ccd6d8
SHA256d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292
SHA512abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\11aa[1]MD5
68d2660d021d5cca16b5ef45602c900c
SHA1ab11bc395afd4497b9a285449af1789626d71a8a
SHA256de1e1f01713a4b1b08c09a32a0a6d05067d54e7593965eddb74160b9a11678a4
SHA5122e236d60f75801c85daa6b415dcf84d2ac355a5e843fb309be171da5084492b2f5f2382081be61b80c6fb5dd5a30b0a394fd3f87def15dba55a7a7d81a3c44f1
-
C:\Users\Admin\AppData\Local\Temp\2007632652.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
C:\Users\Admin\AppData\Local\Temp\2007632652.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
\224932101319066\spoolsv.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
\28681921021105\sihost.exeMD5
f7af1a6fb7947ef70c27da2377c0f80a
SHA1fe64c65af081e168399ecc7d804a3a5d76ccd6d8
SHA256d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292
SHA512abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef
-
\Users\Admin\AppData\Local\Temp\2007632652.exeMD5
31aa71476e9810b0f599be4f67139c57
SHA1748e45edea6587dfa2c4ee2783e7695f5428a9d0
SHA2564772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca
SHA51207405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7
-
memory/592-5-0x0000000000000000-mapping.dmp
-
memory/904-3-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/1384-15-0x0000000000000000-mapping.dmp
-
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1924-10-0x0000000000000000-mapping.dmp