Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe
Resource
win7-20220414-en
General
-
Target
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe
-
Size
418KB
-
MD5
36a8bf060f86867226c4268b41965e48
-
SHA1
39aaf27ac2f3d346a181dc74fa4555da429580fe
-
SHA256
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
-
SHA512
ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47
Malware Config
Extracted
phorphiex
http://185.176.27.132/
18bzpjFfo5JQ41GzzUNRMgcE7WwQwpqFrR
qzrlc85n7vu220yz2ev2vzdyanzpewfx4y9ntufhuz
XhEqUEiD1bLxA8mRePYqLSqzZfLXp1X74m
D6tmLUzcMLo6iMCjG8NCgTefkn5tw3L5Lm
0xab1b250d67d08bf73ac864ea57af8cf762a29649
LhGa2pRATCyusFbYRhJSoyXrx3om9Yxnca
t1ZaBJjdvxKaqTmNV2qjDVK3FtpLL73ZXcj
Signatures
-
Processes:
sysbgff.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysbgff.exe -
Phorphiex payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-57-0x00000000003A0000-0x00000000003AE000-memory.dmp family_phorphiex -
Processes:
sysbgff.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysbgff.exe -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
sysbgff.exepid process 268 sysbgff.exe -
Loads dropped DLL 1 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exepid process 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe -
Processes:
sysbgff.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysbgff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysbgff.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1684912020\\sysbgff.exe" d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1684912020\\sysbgff.exe" d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe -
Drops file in Windows directory 3 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription ioc process File created C:\Windows\1684912020\sysbgff.exe d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe File opened for modification C:\Windows\1684912020\sysbgff.exe d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe File opened for modification C:\Windows\1684912020 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysbgff.exepid process 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe 268 sysbgff.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysbgff.exedescription pid process Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: SeDebugPrivilege 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: 35 268 sysbgff.exe Token: SeDebugPrivilege 268 sysbgff.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysbgff.exepid process 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 268 sysbgff.exe 268 sysbgff.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription pid process target process PID 1280 wrote to memory of 268 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysbgff.exe PID 1280 wrote to memory of 268 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysbgff.exe PID 1280 wrote to memory of 268 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysbgff.exe PID 1280 wrote to memory of 268 1280 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysbgff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe"C:\Users\Admin\AppData\Local\Temp\d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\1684912020\sysbgff.exeC:\Windows\1684912020\sysbgff.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD536a8bf060f86867226c4268b41965e48
SHA139aaf27ac2f3d346a181dc74fa4555da429580fe
SHA256d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
SHA512ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47
-
Filesize
418KB
MD536a8bf060f86867226c4268b41965e48
SHA139aaf27ac2f3d346a181dc74fa4555da429580fe
SHA256d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
SHA512ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47
-
Filesize
418KB
MD536a8bf060f86867226c4268b41965e48
SHA139aaf27ac2f3d346a181dc74fa4555da429580fe
SHA256d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
SHA512ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47