Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-08-2022 19:06
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
75KB
-
MD5
209baf40779b80d5e443c3dbbd656bfb
-
SHA1
b64fa8dded031d5dacac519a2035cefcd05e6503
-
SHA256
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
-
SHA512
9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e
Malware Config
Extracted
phorphiex
http://185.215.113.84/twizt/
12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc
1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD
3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg
3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz
qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8
DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG
0xb899fC445a1b61Cdd62266795193203aa72351fE
LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7
r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1
TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5
t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy
AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX
bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY
bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky
bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v
Signatures
-
Processes:
wklopsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wklopsvcs.exe -
Executes dropped EXE 3 IoCs
Processes:
wklopsvcs.exe312495840.exe1189317648.exepid process 1720 wklopsvcs.exe 1268 312495840.exe 864 1189317648.exe -
Loads dropped DLL 2 IoCs
Processes:
wklopsvcs.exepid process 1720 wklopsvcs.exe 1720 wklopsvcs.exe -
Processes:
wklopsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" wklopsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wklopsvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" tmp.exe -
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\wklopsvcs.exe tmp.exe File opened for modification C:\Windows\wklopsvcs.exe tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exewklopsvcs.exedescription pid process target process PID 856 wrote to memory of 1720 856 tmp.exe wklopsvcs.exe PID 856 wrote to memory of 1720 856 tmp.exe wklopsvcs.exe PID 856 wrote to memory of 1720 856 tmp.exe wklopsvcs.exe PID 856 wrote to memory of 1720 856 tmp.exe wklopsvcs.exe PID 1720 wrote to memory of 1268 1720 wklopsvcs.exe 312495840.exe PID 1720 wrote to memory of 1268 1720 wklopsvcs.exe 312495840.exe PID 1720 wrote to memory of 1268 1720 wklopsvcs.exe 312495840.exe PID 1720 wrote to memory of 1268 1720 wklopsvcs.exe 312495840.exe PID 1720 wrote to memory of 864 1720 wklopsvcs.exe 1189317648.exe PID 1720 wrote to memory of 864 1720 wklopsvcs.exe 1189317648.exe PID 1720 wrote to memory of 864 1720 wklopsvcs.exe 1189317648.exe PID 1720 wrote to memory of 864 1720 wklopsvcs.exe 1189317648.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\wklopsvcs.exeC:\Windows\wklopsvcs.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\312495840.exeC:\Users\Admin\AppData\Local\Temp\312495840.exe3⤵
- Executes dropped EXE
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\1189317648.exeC:\Users\Admin\AppData\Local\Temp\1189317648.exe3⤵
- Executes dropped EXE
PID:864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
9KB
MD5c8a69840ffff790ea975bb0cf55f7f4d
SHA1dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a
-
Filesize
75KB
MD5209baf40779b80d5e443c3dbbd656bfb
SHA1b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA5129b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e
-
Filesize
75KB
MD5209baf40779b80d5e443c3dbbd656bfb
SHA1b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA5129b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
9KB
MD5c8a69840ffff790ea975bb0cf55f7f4d
SHA1dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a