Analysis Overview
SHA256
5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
Threat Level: Known bad
The file 92ec0ad5172f3a97d6656b70c111af98.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Phorphiex Worm
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-24 18:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-24 18:08
Reported
2021-05-24 18:11
Platform
win7v20210408
Max time kernel
137s
Max time network
175s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | tcp |
Files
memory/1120-60-0x0000000074D91000-0x0000000074D93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-24 18:08
Reported
2021-05-24 18:10
Platform
win10v20210410
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | N/A |
| N/A | N/A | C:\13185753226332\smss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\13185753226332\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\13185753226332\smss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 500 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe | C:\Users\Admin\AppData\Local\Temp\3478027055.exe |
| PID 500 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe | C:\Users\Admin\AppData\Local\Temp\3478027055.exe |
| PID 500 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe | C:\Users\Admin\AppData\Local\Temp\3478027055.exe |
| PID 4008 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | C:\13185753226332\smss.exe |
| PID 4008 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | C:\13185753226332\smss.exe |
| PID 4008 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\3478027055.exe | C:\13185753226332\smss.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
C:\13185753226332\smss.exe
C:\13185753226332\smss.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 23.129.64.201:80 | 23.129.64.201 | tcp |
| N/A | 127.0.0.1:62639 | tcp |
Files
memory/4008-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
memory/2268-117-0x0000000000000000-mapping.dmp
C:\13185753226332\smss.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
C:\13185753226332\smss.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |