Analysis
-
max time kernel
304s -
max time network
332s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-10-2021 16:29
Static task
static1
Behavioral task
behavioral1
Sample
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
Resource
win7v20210408
General
-
Target
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
-
Size
75KB
-
MD5
4ece4d073b759e00584078490e1424f8
-
SHA1
a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
-
SHA256
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
-
SHA512
0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
Malware Config
Signatures
-
Phorphiex Payload 3 IoCs
Processes:
resource yara_rule \16338282331159\svchost.exe family_phorphiex C:\16338282331159\svchost.exe family_phorphiex C:\16338282331159\svchost.exe family_phorphiex -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe1028510743.exewsecsvcmgr.exepid process 1752 svchost.exe 564 1028510743.exe 568 wsecsvcmgr.exe -
Loads dropped DLL 3 IoCs
Processes:
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exesvchost.exepid process 1652 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe 1752 svchost.exe 1752 svchost.exe -
Processes:
wsecsvcmgr.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wsecsvcmgr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
1028510743.exef878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" 1028510743.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe -
Drops file in Windows directory 2 IoCs
Processes:
1028510743.exedescription ioc process File created C:\Windows\wsecsvcmgr.exe 1028510743.exe File opened for modification C:\Windows\wsecsvcmgr.exe 1028510743.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exesvchost.exe1028510743.exedescription pid process target process PID 1652 wrote to memory of 1752 1652 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 1652 wrote to memory of 1752 1652 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 1652 wrote to memory of 1752 1652 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 1652 wrote to memory of 1752 1652 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 1752 wrote to memory of 564 1752 svchost.exe 1028510743.exe PID 1752 wrote to memory of 564 1752 svchost.exe 1028510743.exe PID 1752 wrote to memory of 564 1752 svchost.exe 1028510743.exe PID 1752 wrote to memory of 564 1752 svchost.exe 1028510743.exe PID 564 wrote to memory of 568 564 1028510743.exe wsecsvcmgr.exe PID 564 wrote to memory of 568 564 1028510743.exe wsecsvcmgr.exe PID 564 wrote to memory of 568 564 1028510743.exe wsecsvcmgr.exe PID 564 wrote to memory of 568 564 1028510743.exe wsecsvcmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\16338282331159\svchost.exeC:\16338282331159\svchost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1028510743.exeC:\Users\Admin\AppData\Local\Temp\1028510743.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\wsecsvcmgr.exeC:\Windows\wsecsvcmgr.exe4⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\16338282331159\svchost.exeMD5
4ece4d073b759e00584078490e1424f8
SHA1a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA5120c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
-
C:\16338282331159\svchost.exeMD5
4ece4d073b759e00584078490e1424f8
SHA1a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA5120c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
-
C:\Users\Admin\AppData\Local\Temp\1028510743.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Users\Admin\AppData\Local\Temp\1028510743.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Windows\wsecsvcmgr.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Windows\wsecsvcmgr.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
\16338282331159\svchost.exeMD5
4ece4d073b759e00584078490e1424f8
SHA1a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA5120c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
-
\Users\Admin\AppData\Local\Temp\1028510743.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
\Users\Admin\AppData\Local\Temp\1028510743.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
memory/564-68-0x0000000000000000-mapping.dmp
-
memory/568-72-0x0000000000000000-mapping.dmp
-
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1752-62-0x0000000000000000-mapping.dmp