Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 13:14
Static task
static1
Behavioral task
behavioral1
Sample
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe
Resource
win7-20220414-en
General
-
Target
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe
-
Size
248KB
-
MD5
a995787df1dd00b8c0554d0429a0055b
-
SHA1
3e62863d7144cbdb00ebd0856c05e6c55383f5b9
-
SHA256
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889
-
SHA512
0c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632
Malware Config
Extracted
phorphiex
http://193.32.161.73/
1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh
qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql
Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i
D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M
0xa5228127395263575a4b4f532e4f132b14599d24
LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7
t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z
Signatures
-
Processes:
syschuh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" syschuh.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-132-0x0000000002340000-0x000000000234B000-memory.dmp family_phorphiex behavioral2/memory/2060-139-0x00000000020C0000-0x00000000020CB000-memory.dmp family_phorphiex -
Processes:
syschuh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syschuh.exe -
Executes dropped EXE 1 IoCs
Processes:
syschuh.exepid process 2060 syschuh.exe -
Processes:
syschuh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syschuh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syschuh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\369618793\\syschuh.exe" 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\369618793\\syschuh.exe" 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe -
Drops file in Windows directory 3 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exedescription ioc process File created C:\Windows\369618793\syschuh.exe 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe File opened for modification C:\Windows\369618793\syschuh.exe 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe File opened for modification C:\Windows\369618793 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exesyschuh.exepid process 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe 2060 syschuh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exesyschuh.exedescription pid process Token: SeDebugPrivilege 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe Token: SeDebugPrivilege 2060 syschuh.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exesyschuh.exepid process 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe 2060 syschuh.exe 2060 syschuh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exedescription pid process target process PID 4116 wrote to memory of 2060 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe syschuh.exe PID 4116 wrote to memory of 2060 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe syschuh.exe PID 4116 wrote to memory of 2060 4116 29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe syschuh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe"C:\Users\Admin\AppData\Local\Temp\29c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\369618793\syschuh.exeC:\Windows\369618793\syschuh.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5a995787df1dd00b8c0554d0429a0055b
SHA13e62863d7144cbdb00ebd0856c05e6c55383f5b9
SHA25629c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889
SHA5120c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632
-
Filesize
248KB
MD5a995787df1dd00b8c0554d0429a0055b
SHA13e62863d7144cbdb00ebd0856c05e6c55383f5b9
SHA25629c5bee50ae4ae71dee17438c7833ce25eac1a7dad491703eec74cf266b0e889
SHA5120c5eb2f92a1f5e700a9c01c36196c557ce5ab324fb7c1b214a87d8318a077de9c55e32bdb0e976e254039b95adcb058dcf2e99e394d1804a0c87acdc96ce0632