Analysis Overview
SHA256
cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254
Threat Level: Known bad
The file cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Phorphiex family
Windows security bypass
Windows security modification
Adds Run key to start application
Drops file in Windows directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-23 16:11
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:57
Platform
win7-en-20211208
Max time kernel
153s
Max time network
167s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\winudsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winudsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winudsvcs.exe | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| File created | C:\Windows\winudsvcs.exe | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.137.90.34:80 | www.update.microsoft.com | tcp |
| RU | 45.182.189.233:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | udp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |
Files
memory/288-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:57
Platform
win10-en-20211208
Max time kernel
159s
Max time network
168s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\winudsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winudsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winudsvcs.exe | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
| File opened for modification | C:\Windows\winudsvcs.exe | C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.224.57:443 | tcp | |
| US | 52.109.12.18:443 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.185.71.28:80 | www.update.microsoft.com | tcp |
| SC | 185.215.113.66:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |