Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 06:15
Static task
static1
Behavioral task
behavioral1
Sample
1694521508.bin.exe
Resource
win7v20210410
General
-
Target
1694521508.bin.exe
-
Size
100KB
-
MD5
ee0a1ec859b753abc30847157d81f37c
-
SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9
-
SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
-
SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
Malware Config
Signatures
-
Phorphiex Payload 4 IoCs
Processes:
resource yara_rule C:\210332987413741\lsass.exe family_phorphiex C:\210332987413741\lsass.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2457425311.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2457425311.exe family_phorphiex -
Executes dropped EXE 2 IoCs
Processes:
lsass.exe2457425311.exepid process 2588 lsass.exe 1328 2457425311.exe -
Processes:
lsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1694521508.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\210332987413741\\lsass.exe" 1694521508.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\210332987413741\\lsass.exe" 1694521508.bin.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1694521508.bin.exelsass.exedescription pid process target process PID 1852 wrote to memory of 2588 1852 1694521508.bin.exe lsass.exe PID 1852 wrote to memory of 2588 1852 1694521508.bin.exe lsass.exe PID 1852 wrote to memory of 2588 1852 1694521508.bin.exe lsass.exe PID 2588 wrote to memory of 1328 2588 lsass.exe 2457425311.exe PID 2588 wrote to memory of 1328 2588 lsass.exe 2457425311.exe PID 2588 wrote to memory of 1328 2588 lsass.exe 2457425311.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1694521508.bin.exe"C:\Users\Admin\AppData\Local\Temp\1694521508.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\210332987413741\lsass.exeC:\210332987413741\lsass.exe2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2457425311.exeC:\Users\Admin\AppData\Local\Temp\2457425311.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\210332987413741\lsass.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
C:\210332987413741\lsass.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
C:\Users\Admin\AppData\Local\Temp\2457425311.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
C:\Users\Admin\AppData\Local\Temp\2457425311.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
memory/1328-117-0x0000000000000000-mapping.dmp
-
memory/2588-114-0x0000000000000000-mapping.dmp