Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
01-10-2021 16:29
Static task
static1
Behavioral task
behavioral1
Sample
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
Resource
win7v20210408
General
-
Target
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
-
Size
75KB
-
MD5
4ece4d073b759e00584078490e1424f8
-
SHA1
a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
-
SHA256
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
-
SHA512
0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
Malware Config
Signatures
-
Phorphiex Payload 2 IoCs
Processes:
resource yara_rule C:\131019982546\svchost.exe family_phorphiex C:\131019982546\svchost.exe family_phorphiex -
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
-
Executes dropped EXE 3 IoCs
Processes:
svchost.exe1681017508.exewsecsvcmgr.exepid process 4300 svchost.exe 4292 1681017508.exe 4012 wsecsvcmgr.exe -
Processes:
svchost.exewsecsvcmgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wsecsvcmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe1681017508.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" 1681017508.exe -
Drops file in Windows directory 2 IoCs
Processes:
1681017508.exedescription ioc process File created C:\Windows\wsecsvcmgr.exe 1681017508.exe File opened for modification C:\Windows\wsecsvcmgr.exe 1681017508.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exesvchost.exe1681017508.exedescription pid process target process PID 3732 wrote to memory of 4300 3732 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 3732 wrote to memory of 4300 3732 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 3732 wrote to memory of 4300 3732 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe svchost.exe PID 4300 wrote to memory of 4292 4300 svchost.exe 1681017508.exe PID 4300 wrote to memory of 4292 4300 svchost.exe 1681017508.exe PID 4300 wrote to memory of 4292 4300 svchost.exe 1681017508.exe PID 4292 wrote to memory of 4012 4292 1681017508.exe wsecsvcmgr.exe PID 4292 wrote to memory of 4012 4292 1681017508.exe wsecsvcmgr.exe PID 4292 wrote to memory of 4012 4292 1681017508.exe wsecsvcmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\131019982546\svchost.exeC:\131019982546\svchost.exe2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1681017508.exeC:\Users\Admin\AppData\Local\Temp\1681017508.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\wsecsvcmgr.exeC:\Windows\wsecsvcmgr.exe4⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\131019982546\svchost.exeMD5
4ece4d073b759e00584078490e1424f8
SHA1a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA5120c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
-
C:\131019982546\svchost.exeMD5
4ece4d073b759e00584078490e1424f8
SHA1a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA5120c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654
-
C:\Users\Admin\AppData\Local\Temp\1681017508.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Users\Admin\AppData\Local\Temp\1681017508.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Windows\wsecsvcmgr.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
C:\Windows\wsecsvcmgr.exeMD5
c532ac418f3e867907c2757a7ca56a53
SHA10583af526b3825a570237c0d954c445fb30948d3
SHA256555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA5124d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c
-
memory/4012-121-0x0000000000000000-mapping.dmp
-
memory/4292-118-0x0000000000000000-mapping.dmp
-
memory/4300-115-0x0000000000000000-mapping.dmp