Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe
Resource
win7-20220718-en
General
-
Target
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe
-
Size
368KB
-
MD5
4edd5e53432ee2fde30e94e4887dec54
-
SHA1
6bb5c8be14d8da80f0f96c99fa2df3bb7124c965
-
SHA256
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f
-
SHA512
28723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa
Malware Config
Extracted
phorphiex
http://185.176.27.132/
13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa
qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99
XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE
DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc
0x373b9854c9e4511b920372f5495640cdc25d6832
LSermtCTLWeS683x17AtYuhNT8MpMmVmi8
t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR
Signatures
-
Processes:
sysutlp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysutlp.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4876-131-0x00000000032C0000-0x00000000032CE000-memory.dmp family_phorphiex behavioral2/memory/3840-141-0x00000000022B0000-0x00000000022BE000-memory.dmp family_phorphiex -
Processes:
sysutlp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysutlp.exe -
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
sysutlp.exepid process 3840 sysutlp.exe -
Processes:
sysutlp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysutlp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysutlp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\24664298\\sysutlp.exe" b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\24664298\\sysutlp.exe" b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe -
Drops file in Windows directory 3 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exedescription ioc process File created C:\Windows\24664298\sysutlp.exe b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe File opened for modification C:\Windows\24664298\sysutlp.exe b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe File opened for modification C:\Windows\24664298 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exesysutlp.exepid process 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe 3840 sysutlp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exesysutlp.exedescription pid process Token: SeDebugPrivilege 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe Token: SeDebugPrivilege 3840 sysutlp.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exesysutlp.exepid process 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe 3840 sysutlp.exe 3840 sysutlp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exedescription pid process target process PID 4876 wrote to memory of 3840 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe sysutlp.exe PID 4876 wrote to memory of 3840 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe sysutlp.exe PID 4876 wrote to memory of 3840 4876 b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe sysutlp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe"C:\Users\Admin\AppData\Local\Temp\b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\24664298\sysutlp.exeC:\Windows\24664298\sysutlp.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\24664298\sysutlp.exeFilesize
368KB
MD54edd5e53432ee2fde30e94e4887dec54
SHA16bb5c8be14d8da80f0f96c99fa2df3bb7124c965
SHA256b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f
SHA51228723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa
-
C:\Windows\24664298\sysutlp.exeFilesize
368KB
MD54edd5e53432ee2fde30e94e4887dec54
SHA16bb5c8be14d8da80f0f96c99fa2df3bb7124c965
SHA256b65cdaaf688423fb0d3b02e18dfa814ebc6bc2e4637e8a40f9c64c802b7f219f
SHA51228723099729b415b3af80922d7983fa07ba7bad88276d35ac9a481aed0e77f435bebb8460c6a8948068577ebda2d692e0622a2f9f181ded29475cb68e5d45eaa
-
memory/3840-137-0x0000000000000000-mapping.dmp
-
memory/3840-140-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/3840-141-0x00000000022B0000-0x00000000022BE000-memory.dmpFilesize
56KB
-
memory/3840-146-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/4876-130-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/4876-131-0x00000000032C0000-0x00000000032CE000-memory.dmpFilesize
56KB
-
memory/4876-136-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB