Analysis
-
max time kernel
153s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 02:46
Static task
static1
Behavioral task
behavioral1
Sample
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe
Resource
win7-20220718-en
General
-
Target
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe
-
Size
392KB
-
MD5
712a19e062672ca95f393732f9250b6e
-
SHA1
687c166c40697686aecd7c5dac972361f3362676
-
SHA256
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf
-
SHA512
33d5779bae56f7231f841f691ed4ae48641a80baedb5c262ec4b86605a44cd0f02512b514241a3c2d4788c527308dc974382bd3c4ab0af74fe2e064235ed0c65
Malware Config
Extracted
phorphiex
http://185.176.27.132/
13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa
qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99
XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE
DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc
0x373b9854c9e4511b920372f5495640cdc25d6832
LSermtCTLWeS683x17AtYuhNT8MpMmVmi8
t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR
Signatures
-
Processes:
sysbzwh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysbzwh.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3696-132-0x0000000002240000-0x000000000224E000-memory.dmp family_phorphiex behavioral2/memory/1964-141-0x0000000002290000-0x000000000229E000-memory.dmp family_phorphiex -
Processes:
sysbzwh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysbzwh.exe -
Executes dropped EXE 1 IoCs
Processes:
sysbzwh.exepid process 1964 sysbzwh.exe -
Processes:
sysbzwh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysbzwh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysbzwh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\149719423\\sysbzwh.exe" d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\149719423\\sysbzwh.exe" d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe -
Drops file in Windows directory 3 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exedescription ioc process File created C:\Windows\149719423\sysbzwh.exe d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe File opened for modification C:\Windows\149719423\sysbzwh.exe d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe File opened for modification C:\Windows\149719423 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exesysbzwh.exepid process 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe 1964 sysbzwh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exesysbzwh.exedescription pid process Token: SeDebugPrivilege 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe Token: SeDebugPrivilege 1964 sysbzwh.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exesysbzwh.exepid process 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe 1964 sysbzwh.exe 1964 sysbzwh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exedescription pid process target process PID 3696 wrote to memory of 1964 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe sysbzwh.exe PID 3696 wrote to memory of 1964 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe sysbzwh.exe PID 3696 wrote to memory of 1964 3696 d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe sysbzwh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe"C:\Users\Admin\AppData\Local\Temp\d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\149719423\sysbzwh.exeC:\Windows\149719423\sysbzwh.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD5712a19e062672ca95f393732f9250b6e
SHA1687c166c40697686aecd7c5dac972361f3362676
SHA256d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf
SHA51233d5779bae56f7231f841f691ed4ae48641a80baedb5c262ec4b86605a44cd0f02512b514241a3c2d4788c527308dc974382bd3c4ab0af74fe2e064235ed0c65
-
Filesize
392KB
MD5712a19e062672ca95f393732f9250b6e
SHA1687c166c40697686aecd7c5dac972361f3362676
SHA256d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf
SHA51233d5779bae56f7231f841f691ed4ae48641a80baedb5c262ec4b86605a44cd0f02512b514241a3c2d4788c527308dc974382bd3c4ab0af74fe2e064235ed0c65