Resubmissions
09-04-2024 12:54
240409-p5dzaafd97 1009-04-2024 12:54
240409-p5dcraag3w 1009-04-2024 12:54
240409-p5cq8aag3v 1009-04-2024 12:54
240409-p5cffsfd95 1006-05-2021 04:42
210506-89h2kyk32a 10Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 04:42
Static task
static1
Behavioral task
behavioral1
Sample
t.exe
Resource
win7v20210408
General
-
Target
t.exe
-
Size
100KB
-
MD5
ee0a1ec859b753abc30847157d81f37c
-
SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9
-
SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
-
SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
Malware Config
Signatures
-
Phorphiex Payload 5 IoCs
Processes:
resource yara_rule \30862328219132\lsass.exe family_phorphiex C:\30862328219132\lsass.exe family_phorphiex C:\30862328219132\lsass.exe family_phorphiex \Users\Admin\AppData\Local\Temp\2049321690.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\2049321690.exe family_phorphiex -
Executes dropped EXE 2 IoCs
Processes:
lsass.exe2049321690.exepid process 1304 lsass.exe 1572 2049321690.exe -
Loads dropped DLL 2 IoCs
Processes:
t.exelsass.exepid process 340 t.exe 1304 lsass.exe -
Processes:
lsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
t.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\30862328219132\\lsass.exe" t.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\30862328219132\\lsass.exe" t.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
t.exelsass.exedescription pid process target process PID 340 wrote to memory of 1304 340 t.exe lsass.exe PID 340 wrote to memory of 1304 340 t.exe lsass.exe PID 340 wrote to memory of 1304 340 t.exe lsass.exe PID 340 wrote to memory of 1304 340 t.exe lsass.exe PID 1304 wrote to memory of 1572 1304 lsass.exe 2049321690.exe PID 1304 wrote to memory of 1572 1304 lsass.exe 2049321690.exe PID 1304 wrote to memory of 1572 1304 lsass.exe 2049321690.exe PID 1304 wrote to memory of 1572 1304 lsass.exe 2049321690.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\t.exe"C:\Users\Admin\AppData\Local\Temp\t.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\30862328219132\lsass.exeC:\30862328219132\lsass.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2049321690.exeC:\Users\Admin\AppData\Local\Temp\2049321690.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\30862328219132\lsass.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
C:\30862328219132\lsass.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
C:\Users\Admin\AppData\Local\Temp\2049321690.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
\30862328219132\lsass.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
\Users\Admin\AppData\Local\Temp\2049321690.exeMD5
ee0a1ec859b753abc30847157d81f37c
SHA12fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA5126ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc
-
memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1304-61-0x0000000000000000-mapping.dmp
-
memory/1572-66-0x0000000000000000-mapping.dmp