Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
92ec0ad5172f3a97d6656b70c111af98.exe
Resource
win7v20210408
General
-
Target
92ec0ad5172f3a97d6656b70c111af98.exe
-
Size
7KB
-
MD5
92ec0ad5172f3a97d6656b70c111af98
-
SHA1
e15fc1668ccdaf70e5831906191f611136b7ac65
-
SHA256
5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
-
SHA512
f895ac70eb9c68b9361b32d71c3135f3ccd2f7b676d03061677416b883a1be7a8bad85df8de8202f612ebdfa8564ce77d34f7d5eb9a818fac0098cb4ca856762
Malware Config
Signatures
-
Phorphiex Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3478027055.exe family_phorphiex C:\Users\Admin\AppData\Local\Temp\3478027055.exe family_phorphiex C:\13185753226332\smss.exe family_phorphiex C:\13185753226332\smss.exe family_phorphiex -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
3478027055.exesmss.exepid process 4008 3478027055.exe 2268 smss.exe -
Processes:
smss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" smss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3478027055.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" 3478027055.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" 3478027055.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
92ec0ad5172f3a97d6656b70c111af98.exe3478027055.exedescription pid process target process PID 500 wrote to memory of 4008 500 92ec0ad5172f3a97d6656b70c111af98.exe 3478027055.exe PID 500 wrote to memory of 4008 500 92ec0ad5172f3a97d6656b70c111af98.exe 3478027055.exe PID 500 wrote to memory of 4008 500 92ec0ad5172f3a97d6656b70c111af98.exe 3478027055.exe PID 4008 wrote to memory of 2268 4008 3478027055.exe smss.exe PID 4008 wrote to memory of 2268 4008 3478027055.exe smss.exe PID 4008 wrote to memory of 2268 4008 3478027055.exe smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3478027055.exeC:\Users\Admin\AppData\Local\Temp\3478027055.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\13185753226332\smss.exeC:\13185753226332\smss.exe3⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\13185753226332\smss.exeMD5
e28889b5f98d8ed1a00835e1ca8a3b21
SHA1b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA2560429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd
-
C:\13185753226332\smss.exeMD5
e28889b5f98d8ed1a00835e1ca8a3b21
SHA1b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA2560429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd
-
C:\Users\Admin\AppData\Local\Temp\3478027055.exeMD5
e28889b5f98d8ed1a00835e1ca8a3b21
SHA1b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA2560429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd
-
C:\Users\Admin\AppData\Local\Temp\3478027055.exeMD5
e28889b5f98d8ed1a00835e1ca8a3b21
SHA1b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA2560429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd
-
memory/2268-117-0x0000000000000000-mapping.dmp
-
memory/4008-114-0x0000000000000000-mapping.dmp