Analysis Overview
SHA256
8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c
Threat Level: Known bad
The file 8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Phorphiex Payload
Phorphiex family
Windows security modification
Adds Run key to start application
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-23 16:11
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:57
Platform
win7-en-20211208
Max time kernel
152s
Max time network
161s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winupscvs.exe" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.137.90.34:80 | www.update.microsoft.com | tcp |
| SC | 185.215.113.66:48755 | udp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:57
Platform
win10-en-20211208
Max time kernel
166s
Max time network
168s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winupscvs.exe" | C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8d413fb17a9fb2722c36b288de4cf2564a25d11bd63673191fc9be22bffc227c.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.185.71.28:80 | www.update.microsoft.com | tcp |
| SC | 185.215.113.66:48755 | udp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |