Analysis
-
max time kernel
154s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe
Resource
win7-20220414-en
General
-
Target
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe
-
Size
418KB
-
MD5
36a8bf060f86867226c4268b41965e48
-
SHA1
39aaf27ac2f3d346a181dc74fa4555da429580fe
-
SHA256
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
-
SHA512
ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47
Malware Config
Extracted
phorphiex
http://185.176.27.132/
18bzpjFfo5JQ41GzzUNRMgcE7WwQwpqFrR
qzrlc85n7vu220yz2ev2vzdyanzpewfx4y9ntufhuz
XhEqUEiD1bLxA8mRePYqLSqzZfLXp1X74m
D6tmLUzcMLo6iMCjG8NCgTefkn5tw3L5Lm
0xab1b250d67d08bf73ac864ea57af8cf762a29649
LhGa2pRATCyusFbYRhJSoyXrx3om9Yxnca
t1ZaBJjdvxKaqTmNV2qjDVK3FtpLL73ZXcj
Signatures
-
Processes:
sysnidx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysnidx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection sysnidx.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2340-131-0x00000000022D0000-0x00000000022DE000-memory.dmp family_phorphiex behavioral2/memory/2656-142-0x0000000002180000-0x000000000218E000-memory.dmp family_phorphiex -
Processes:
sysnidx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysnidx.exe -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
sysnidx.exepid process 2656 sysnidx.exe -
Processes:
sysnidx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysnidx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysnidx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2624223119\\sysnidx.exe" d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2624223119\\sysnidx.exe" d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe -
Drops file in Windows directory 3 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription ioc process File opened for modification C:\Windows\2624223119 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe File created C:\Windows\2624223119\sysnidx.exe d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe File opened for modification C:\Windows\2624223119\sysnidx.exe d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysnidx.exepid process 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe 2656 sysnidx.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysnidx.exedescription pid process Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: SeDebugPrivilege 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: 35 2656 sysnidx.exe Token: SeDebugPrivilege 2656 sysnidx.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exesysnidx.exepid process 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe 2656 sysnidx.exe 2656 sysnidx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exedescription pid process target process PID 2340 wrote to memory of 2656 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysnidx.exe PID 2340 wrote to memory of 2656 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysnidx.exe PID 2340 wrote to memory of 2656 2340 d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe sysnidx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe"C:\Users\Admin\AppData\Local\Temp\d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\2624223119\sysnidx.exeC:\Windows\2624223119\sysnidx.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD536a8bf060f86867226c4268b41965e48
SHA139aaf27ac2f3d346a181dc74fa4555da429580fe
SHA256d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
SHA512ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47
-
Filesize
418KB
MD536a8bf060f86867226c4268b41965e48
SHA139aaf27ac2f3d346a181dc74fa4555da429580fe
SHA256d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
SHA512ac39821cf66124393f9dcf42c0501f5c6a20ebd9cc6b5034ecf13f30e13ca8900efc738aa5d060545da8969dec5c46f7105d01ff27f4836e787268925b83bb47