Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-05-2021 01:22

General

  • Target

    25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe

  • Size

    818KB

  • MD5

    dd1aa660f2f24368dd58c5ce7a709b6c

  • SHA1

    a54d435a04d3e883b1773d1c8d439dc95628fa07

  • SHA256

    25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e

  • SHA512

    a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Phorphiex Payload 1 IoCs
  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe
    "C:\Users\Admin\AppData\Local\Temp\25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\165302927026852\csrss.exe
      C:\Windows\165302927026852\csrss.exe
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Drops file in Program Files directory
      PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1284
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\165302927026852\csrss.exe

    MD5

    dd1aa660f2f24368dd58c5ce7a709b6c

    SHA1

    a54d435a04d3e883b1773d1c8d439dc95628fa07

    SHA256

    25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e

    SHA512

    a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5

  • C:\Windows\165302927026852\csrss.exe

    MD5

    dd1aa660f2f24368dd58c5ce7a709b6c

    SHA1

    a54d435a04d3e883b1773d1c8d439dc95628fa07

    SHA256

    25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e

    SHA512

    a86738a5fd7915f3fbd9ddc8b5c3e01a936074749b7e8d14ceb91defef6657b5e5c1fc76fc6461b86424add2099c14b90c88b7b84de53928404562f2148b16b5

  • memory/3176-114-0x00000000001E0000-0x00000000001FA000-memory.dmp

    Filesize

    104KB

  • memory/3176-115-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

  • memory/3612-116-0x0000000000000000-mapping.dmp

  • memory/3612-119-0x00000000001D0000-0x00000000001EA000-memory.dmp

    Filesize

    104KB