Analysis Overview
SHA256
ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
Threat Level: Known bad
The file 0a6569e45a3a38f7168f4c4aa0594627.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Phorphiex Payload
Phorphiex Worm
Downloads MZ/PE file
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-03 06:07
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-03 06:07
Reported
2021-05-03 06:09
Platform
win10v20210410
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14842.exe | N/A |
| N/A | N/A | C:\107452361822882\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1123521669.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\107452361822882\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\107452361822882\lsass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\107452361822882\\lsass.exe" | C:\Users\Admin\AppData\Local\Temp\14842.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\107452361822882\\lsass.exe" | C:\Users\Admin\AppData\Local\Temp\14842.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe
"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"
C:\Users\Admin\AppData\Local\Temp\14842.exe
C:\Users\Admin\AppData\Local\Temp\14842.exe
C:\107452361822882\lsass.exe
C:\107452361822882\lsass.exe
C:\Users\Admin\AppData\Local\Temp\1123521669.exe
C:\Users\Admin\AppData\Local\Temp\1123521669.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 149.56.45.200:9030 | 149.56.45.200 | tcp |
| N/A | 127.0.0.1:60979 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 130.185.250.214:80 | tcp | |
| N/A | 23.129.64.201:80 | 23.129.64.201 | tcp |
| N/A | 185.220.101.217:30217 | tcp | |
| N/A | 185.220.101.204:10204 | tcp | |
| N/A | 109.70.100.7:443 | tcp | |
| N/A | 213.215.202.234:8151 | tcp | |
| N/A | 45.125.65.118:9001 | tcp | |
| N/A | 213.32.71.116:9030 | tcp | |
| N/A | 94.16.114.105:8080 | 94.16.114.105 | tcp |
| N/A | 130.185.250.214:80 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 199.58.81.140:80 | 199.58.81.140 | tcp |
| N/A | 104.244.72.115:443 | tcp | |
| N/A | 78.47.226.12:443 | tcp | |
| N/A | 127.0.0.1:60979 | tcp | |
| N/A | 51.15.42.19:9030 | tcp | |
| N/A | 62.210.177.189:9030 | tcp | |
| N/A | 23.129.64.201:80 | 23.129.64.201 | tcp |
| N/A | 62.210.177.189:9030 | tcp | |
| N/A | 95.217.42.50:1067 | 95.217.42.50 | tcp |
| N/A | 185.220.101.9:30009 | tcp | |
| N/A | 94.16.104.159:9001 | tcp | |
| N/A | 170.253.1.109:9001 | tcp | |
| N/A | 149.56.233.142:443 | tcp | |
| N/A | 127.0.0.1:60979 | tcp | |
| N/A | 213.164.205.169:9001 | tcp |
Files
memory/2444-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\14842.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\Users\Admin\AppData\Local\Temp\14842.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/3984-117-0x0000000000000000-mapping.dmp
C:\107452361822882\lsass.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\107452361822882\lsass.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/2116-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1123521669.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\Users\Admin\AppData\Local\Temp\1123521669.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-03 06:07
Reported
2021-05-03 06:09
Platform
win7v20210408
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19981.exe | N/A |
| N/A | N/A | C:\36762617210258\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3792818807.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3367827580.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19981.exe | N/A |
| N/A | N/A | C:\36762617210258\lsass.exe | N/A |
| N/A | N/A | C:\36762617210258\lsass.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\36762617210258\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\36762617210258\lsass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\36762617210258\\lsass.exe" | C:\Users\Admin\AppData\Local\Temp\19981.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\36762617210258\\lsass.exe" | C:\Users\Admin\AppData\Local\Temp\19981.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe
"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"
C:\Users\Admin\AppData\Local\Temp\19981.exe
C:\Users\Admin\AppData\Local\Temp\19981.exe
C:\36762617210258\lsass.exe
C:\36762617210258\lsass.exe
C:\Users\Admin\AppData\Local\Temp\3792818807.exe
C:\Users\Admin\AppData\Local\Temp\3792818807.exe
C:\Users\Admin\AppData\Local\Temp\3367827580.exe
C:\Users\Admin\AppData\Local\Temp\3367827580.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 62.210.177.189:9030 | tcp | |
| N/A | 127.0.0.1:60469 | tcp | |
| N/A | 62.210.177.189:9030 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 86.59.21.38:80 | 86.59.21.38 | tcp |
| N/A | 131.188.40.189:443 | 131.188.40.189 | tcp |
| N/A | 94.16.114.105:8080 | 94.16.114.105 | tcp |
| N/A | 185.212.149.111:9001 | tcp | |
| N/A | 209.182.239.205:9001 | tcp | |
| N/A | 185.56.171.94:9001 | tcp | |
| N/A | 37.218.242.217:9001 | tcp | |
| N/A | 141.255.162.34:8080 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 141.255.162.34:8080 | tcp | |
| N/A | 213.32.71.116:9030 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | feedmefile.top | udp |
| N/A | 185.215.113.93:80 | feedmefile.top | tcp |
| N/A | 213.32.71.116:9030 | tcp | |
| N/A | 185.215.113.93:80 | feedmefile.top | tcp |
| N/A | 185.215.113.93:80 | feedmefile.top | tcp |
| N/A | 8.8.8.8:53 | gotsomefile.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 23.129.64.201:80 | 23.129.64.201 | tcp |
| N/A | 8.8.8.8:53 | gimmefile.top | udp |
| N/A | 95.217.42.50:1067 | tcp | |
| N/A | 127.0.0.1:60469 | tcp |
Files
memory/1036-60-0x0000000075051000-0x0000000075053000-memory.dmp
\Users\Admin\AppData\Local\Temp\19981.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/1684-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\19981.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\Users\Admin\AppData\Local\Temp\19981.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
\36762617210258\lsass.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/108-67-0x0000000000000000-mapping.dmp
C:\36762617210258\lsass.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\36762617210258\lsass.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
\Users\Admin\AppData\Local\Temp\3792818807.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/1612-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3792818807.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
\Users\Admin\AppData\Local\Temp\3367827580.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
C:\Users\Admin\AppData\Local\Temp\3367827580.exe
| MD5 | ee0a1ec859b753abc30847157d81f37c |
| SHA1 | 2fd868d94c6dc063ca49c767c873505fbc87dcd9 |
| SHA256 | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922 |
| SHA512 | 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc |
memory/868-76-0x0000000000000000-mapping.dmp