Analysis Overview
SHA256
5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
Threat Level: Known bad
The file 92ec0ad5172f3a97d6656b70c111af98.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Phorphiex Payload
Phorphiex Worm
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Windows security modification
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-24 17:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-24 17:55
Reported
2021-05-24 17:57
Platform
win7v20210408
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | tcp | |
| N/A | 185.215.113.93:80 | tcp |
Files
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-24 17:55
Reported
2021-05-24 17:57
Platform
win10v20210410
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1126038252.exe | N/A |
| N/A | N/A | C:\50781317113831\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2648319356.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2345614391.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1290831180.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1246011076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2746621474.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe | C:\Windows\System32\cmd.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\50781317113831\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\50781317113831\smss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\1126038252.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\1126038252.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
C:\50781317113831\smss.exe
C:\50781317113831\smss.exe
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat C:\Users\Admin\AppData\Local\Temp\1290831180.exe"
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 130.185.250.214:80 | tcp | |
| N/A | 127.0.0.1:62409 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 149.56.45.200:9030 | 149.56.45.200 | tcp |
| N/A | 213.32.71.116:9030 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 62.210.177.189:9030 | tcp | |
| N/A | 95.143.193.125:80 | 95.143.193.125 | tcp |
| N/A | 209.182.239.205:9001 | tcp | |
| N/A | 185.220.101.204:10204 | tcp | |
| N/A | 163.172.58.2:443 | tcp | |
| N/A | 51.158.69.118:443 | tcp | |
| N/A | 185.220.101.217:30217 | tcp | |
| N/A | 23.154.177.133:443 | tcp | |
| N/A | 185.215.113.93:80 | 185.215.113.93 | tcp |
| N/A | 176.10.104.240:443 | tcp | |
| N/A | 51.15.182.104:9001 | tcp | |
| N/A | 127.0.0.1:62409 | tcp | |
| N/A | 149.56.45.200:9030 | 149.56.45.200 | tcp |
| N/A | 8.8.8.8:53 | xmrupdtemall.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 37.120.171.188:443 | tcp | |
| N/A | 185.220.101.209:30209 | tcp | |
| N/A | 127.0.0.1:62409 | tcp | |
| N/A | 82.221.131.71:443 | tcp | |
| N/A | 159.89.174.9:443 | tcp | |
| N/A | 51.75.65.102:9001 | tcp | |
| N/A | 127.0.0.1:62409 | tcp | |
| N/A | 163.172.58.2:443 | tcp | |
| N/A | 185.220.101.204:10204 | tcp | |
| N/A | 51.158.69.118:443 | tcp | |
| N/A | 185.220.101.217:30217 | tcp | |
| N/A | 23.154.177.133:443 | tcp | |
| N/A | 51.15.182.104:9001 | tcp | |
| N/A | 127.0.0.1:62409 | tcp | |
| N/A | 45.66.156.176:8443 | tcp |
Files
memory/2968-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
memory/3464-117-0x0000000000000000-mapping.dmp
C:\50781317113831\smss.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
C:\50781317113831\smss.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
memory/2148-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
| MD5 | e28889b5f98d8ed1a00835e1ca8a3b21 |
| SHA1 | b665e89468ac7ae566aa996aeec203b25bf24b0c |
| SHA256 | 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73 |
| SHA512 | d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd |
memory/1924-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
| MD5 | f3318b4b120c21a6e415153315aef2fb |
| SHA1 | 23c6433cf48eb7361b227cf973ec0c977e868ffa |
| SHA256 | 069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21 |
| SHA512 | 227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7 |
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
| MD5 | f3318b4b120c21a6e415153315aef2fb |
| SHA1 | 23c6433cf48eb7361b227cf973ec0c977e868ffa |
| SHA256 | 069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21 |
| SHA512 | 227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7 |
memory/4016-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
| MD5 | d84e11ca2e8970c1b6d1066d5aea11c5 |
| SHA1 | 36e763db197c2b41e9201fd6603e9f0c9628d429 |
| SHA256 | 73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518 |
| SHA512 | 7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee |
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
| MD5 | d84e11ca2e8970c1b6d1066d5aea11c5 |
| SHA1 | 36e763db197c2b41e9201fd6603e9f0c9628d429 |
| SHA256 | 73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518 |
| SHA512 | 7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee |
memory/4012-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat
| MD5 | a317b9bdc3a5e70f5e7964be46b9557d |
| SHA1 | 69421493be0fb5e61b498d8c331d0de7d978f886 |
| SHA256 | 582da2e1c3d3fe2dc565e5fdf109f21ba9bbf8fea5b28a7d8ba98412043f4178 |
| SHA512 | c2f3b768b9df2e934f22a73a97c6a4cd062b092175c115dd9f4fa7f8ec8cfff4289286cac88ac62585424f328b2cea3c08decf587345b16bcdcb2ce7deb1fa39 |
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Defender.exe
| MD5 | 150430cc02f3708fdd8bd79418a8985a |
| SHA1 | ac471b51146c411c9697763dbd0ae9ef919397d9 |
| SHA256 | e02d9b5ece07693c4863747dddd58761dfebb2ef729deec937142ad97eabb474 |
| SHA512 | d1b972fd2da1ea1fee05657ce63466764c84e135d3c97463f4f1acb164a2ef306ae857b02f9f10628551b0bf29b8ae4715f0d6fa045531ce6189d80218f4d35f |
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Process.exe
| MD5 | d65359ec05a8c4054b14768f4a04676f |
| SHA1 | fc149a785aa8058d626610f5e0add97f4ccb4e91 |
| SHA256 | 2bb15c50b0b33b900ee8a826fea73017d05f8cb562fb4027b6f1701e49fad73e |
| SHA512 | c50be8d45cc771495057d08b836fc95cbf803c76ed58561b9b958e278c092cc74f387524176fa0d3f21e98904d8da44125e8b9df7db59d239abd3df9d8e667a8 |
memory/3768-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
| MD5 | 94bfc6c684e0143e3543c5a3a0af7ccc |
| SHA1 | ac3d8970df78ddf6b299e53e24b14fab9a512673 |
| SHA256 | dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801 |
| SHA512 | b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9 |
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
| MD5 | 94bfc6c684e0143e3543c5a3a0af7ccc |
| SHA1 | ac3d8970df78ddf6b299e53e24b14fab9a512673 |
| SHA256 | dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801 |
| SHA512 | b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9 |
memory/2704-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
| MD5 | b1e29e528a7510be3c04dcff622f63ab |
| SHA1 | ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a |
| SHA256 | a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13 |
| SHA512 | e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040 |
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
| MD5 | b1e29e528a7510be3c04dcff622f63ab |
| SHA1 | ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a |
| SHA256 | a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13 |
| SHA512 | e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040 |