Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-12-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe
Resource
win7-en-20211208
General
-
Target
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe
-
Size
72KB
-
MD5
9fa3010c557db8477aec95587748dc82
-
SHA1
10ffea2306659a4c021bf55a842afa2fd69761be
-
SHA256
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
-
SHA512
77c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2
Malware Config
Signatures
-
Phorphiex Payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000800000001223f-56.dat family_phorphiex behavioral1/files/0x000800000001223f-58.dat family_phorphiex -
Executes dropped EXE 1 IoCs
Processes:
wapmsvcr.exepid Process 1668 wapmsvcr.exe -
Processes:
wapmsvcr.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wapmsvcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wapmsvcr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wapmsvcr.exe" 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe -
Drops file in Windows directory 2 IoCs
Processes:
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exedescription ioc Process File created C:\Windows\wapmsvcr.exe 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe File opened for modification C:\Windows\wapmsvcr.exe 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exedescription pid Process procid_target PID 1588 wrote to memory of 1668 1588 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe 27 PID 1588 wrote to memory of 1668 1588 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe 27 PID 1588 wrote to memory of 1668 1588 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe 27 PID 1588 wrote to memory of 1668 1588 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\wapmsvcr.exeC:\Windows\wapmsvcr.exe2⤵
- Executes dropped EXE
- Windows security modification
PID:1668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9fa3010c557db8477aec95587748dc82
SHA110ffea2306659a4c021bf55a842afa2fd69761be
SHA2567d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA51277c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2
-
MD5
9fa3010c557db8477aec95587748dc82
SHA110ffea2306659a4c021bf55a842afa2fd69761be
SHA2567d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA51277c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2