Analysis Overview
SHA256
313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316
Threat Level: Known bad
The file 313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Phorphiex family
Windows security bypass
Windows security modification
Adds Run key to start application
Drops file in Windows directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-23 16:11
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:57
Platform
win7-en-20211208
Max time kernel
152s
Max time network
152s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wupdsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\wupdsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wupdsvcs.exe | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| File opened for modification | C:\Windows\wupdsvcs.exe | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe
"C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.137.90.34:80 | www.update.microsoft.com | tcp |
| SC | 185.215.113.66:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |
Files
memory/1400-54-0x0000000076C91000-0x0000000076C93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-21 11:54
Reported
2021-12-21 11:56
Platform
win10-en-20211208
Max time kernel
154s
Max time network
154s
Command Line
Signatures
Windows security bypass
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wupdsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\wupdsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wupdsvcs.exe | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
| File opened for modification | C:\Windows\wupdsvcs.exe | C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe
"C:\Users\Admin\AppData\Local\Temp\313c731da99da31454ec6114d5a8ce03dcf9a24caf02270f9292ab7b9278b316.bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.185.71.28:80 | www.update.microsoft.com | tcp |
| RU | 45.182.189.233:48755 | udp | |
| RU | 45.182.189.233:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | udp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| RU | 45.182.189.233:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp | |
| SC | 185.215.113.66:48755 | tcp |