Analysis
-
max time kernel
192s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-06-2022 22:43
Static task
static1
Behavioral task
behavioral1
Sample
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe
Resource
win7-20220414-en
General
-
Target
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe
-
Size
454KB
-
MD5
87f19914a9966998a89839dbdc978d4f
-
SHA1
f7a14349ce4d889dac552451c91dddf7bc583245
-
SHA256
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
-
SHA512
6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b
Malware Config
Extracted
phorphiex
http://185.176.27.132/
19mduWVW9QphW5W2caWF84wcGVSmASRYpf
qp5d3zpgldngtzf0xg2swnqaedfhn3kmsyhk7kp0yt
Xj2EfZ34QwSskhx4aRjWjGpLpMgNQWgYeV
DRkCr8Qum86fMBT3ceyzYBAGzD8pbRZmba
0xab1b250d67d08bf73ac864ea57af8cf762a29649
LVvqtuuqxcPbmqZ7VQju6kFTmQKZ58yXH2
t1dWznNU9rPvPLhmgUQTivyFYmCk4FhDKRc
Signatures
-
Processes:
sysfstx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysfstx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysfstx.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3068-132-0x0000000002460000-0x000000000246A000-memory.dmp family_phorphiex behavioral2/memory/2280-139-0x00000000005E0000-0x00000000005EA000-memory.dmp family_phorphiex -
Processes:
sysfstx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysfstx.exe -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
sysfstx.exepid process 2280 sysfstx.exe -
Processes:
sysfstx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysfstx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysfstx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe -
Drops file in Windows directory 3 IoCs
Processes:
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exedescription ioc process File created C:\Windows\1923925090\sysfstx.exe db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe File opened for modification C:\Windows\1923925090\sysfstx.exe db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe File opened for modification C:\Windows\1923925090 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exesysfstx.exepid process 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe 2280 sysfstx.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exesysfstx.exedescription pid process Token: SeDebugPrivilege 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe Token: SeDebugPrivilege 2280 sysfstx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exedescription pid process target process PID 3068 wrote to memory of 2280 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe sysfstx.exe PID 3068 wrote to memory of 2280 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe sysfstx.exe PID 3068 wrote to memory of 2280 3068 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe sysfstx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\1923925090\sysfstx.exeC:\Windows\1923925090\sysfstx.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\1923925090\sysfstx.exeFilesize
454KB
MD587f19914a9966998a89839dbdc978d4f
SHA1f7a14349ce4d889dac552451c91dddf7bc583245
SHA256db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA5126c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b
-
C:\Windows\1923925090\sysfstx.exeFilesize
454KB
MD587f19914a9966998a89839dbdc978d4f
SHA1f7a14349ce4d889dac552451c91dddf7bc583245
SHA256db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA5126c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b
-
memory/2280-133-0x0000000000000000-mapping.dmp
-
memory/2280-136-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2280-138-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2280-139-0x00000000005E0000-0x00000000005EA000-memory.dmpFilesize
40KB
-
memory/3068-130-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3068-131-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3068-132-0x0000000002460000-0x000000000246A000-memory.dmpFilesize
40KB
-
memory/3068-137-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB