Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 01:22
Static task
static1
Behavioral task
behavioral1
Sample
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe
Resource
win7v20210410
General
-
Target
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe
-
Size
818KB
-
MD5
dd1aa660f2f24368dd58c5ce7a709b6c
-
SHA1
a54d435a04d3e883b1773d1c8d439dc95628fa07
-
SHA256
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e
-
SHA512
a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5
Malware Config
Signatures
-
Phorphiex Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3176-115-0x0000000000400000-0x00000000004D2000-memory.dmp family_phorphiex -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 3612 csrss.exe -
Processes:
csrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Windows\\165302927026852\\csrss.exe" 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Windows\\165302927026852\\csrss.exe" 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe -
Drops file in Program Files directory 3 IoCs
Processes:
csrss.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe csrss.exe File opened for modification C:\Program Files\7-Zip\7zfm.exe csrss.exe File opened for modification C:\Program Files\7-Zip\7zg.exe csrss.exe -
Drops file in Windows directory 3 IoCs
Processes:
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exedescription ioc process File opened for modification C:\Windows\165302927026852 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe File created C:\Windows\165302927026852\csrss.exe 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe File opened for modification C:\Windows\165302927026852\csrss.exe 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1128 3612 WerFault.exe csrss.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe 1128 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1128 WerFault.exe Token: SeBackupPrivilege 1128 WerFault.exe Token: SeDebugPrivilege 1128 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exedescription pid process target process PID 3176 wrote to memory of 3612 3176 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe csrss.exe PID 3176 wrote to memory of 3612 3176 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe csrss.exe PID 3176 wrote to memory of 3612 3176 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe"C:\Users\Admin\AppData\Local\Temp\25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\165302927026852\csrss.exeC:\Windows\165302927026852\csrss.exe2⤵
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
PID:3612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 12843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd1aa660f2f24368dd58c5ce7a709b6c
SHA1a54d435a04d3e883b1773d1c8d439dc95628fa07
SHA25625f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e
SHA512a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5
-
MD5
dd1aa660f2f24368dd58c5ce7a709b6c
SHA1a54d435a04d3e883b1773d1c8d439dc95628fa07
SHA25625f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e
SHA512a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5