Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2022 16:08
Behavioral task
behavioral1
Sample
ed2d7b25bb360cccb4f0f6a4f8732d7a.exe
Resource
win7-20220812-en
General
-
Target
ed2d7b25bb360cccb4f0f6a4f8732d7a.exe
-
Size
75KB
-
MD5
ed2d7b25bb360cccb4f0f6a4f8732d7a
-
SHA1
6ffcc083956c5ac19826bdd87e12f87817ee837c
-
SHA256
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
-
SHA512
6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
Malware Config
Extracted
phorphiex
http://185.215.113.66/twizt/
12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc
1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD
3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg
3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz
qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8
DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG
0xb899fC445a1b61Cdd62266795193203aa72351fE
LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7
r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1
TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5
t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy
AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX
bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY
bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky
bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v
Signatures
-
Processes:
winrecsv.exewinrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe -
Executes dropped EXE 5 IoCs
Processes:
winrecsv.exe1811431440.exe873529329.exewinrecsv.exe255594601.exepid process 4024 winrecsv.exe 836 1811431440.exe 3176 873529329.exe 4424 winrecsv.exe 5072 255594601.exe -
Processes:
winrecsv.exewinrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ed2d7b25bb360cccb4f0f6a4f8732d7a.exe873529329.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" ed2d7b25bb360cccb4f0f6a4f8732d7a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winrecsv.exe" 873529329.exe -
Drops file in Windows directory 3 IoCs
Processes:
ed2d7b25bb360cccb4f0f6a4f8732d7a.exe873529329.exedescription ioc process File created C:\Windows\winrecsv.exe ed2d7b25bb360cccb4f0f6a4f8732d7a.exe File opened for modification C:\Windows\winrecsv.exe ed2d7b25bb360cccb4f0f6a4f8732d7a.exe File created C:\Windows\winrecsv.exe 873529329.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ed2d7b25bb360cccb4f0f6a4f8732d7a.exewinrecsv.exe873529329.exewinrecsv.exedescription pid process target process PID 4064 wrote to memory of 4024 4064 ed2d7b25bb360cccb4f0f6a4f8732d7a.exe winrecsv.exe PID 4064 wrote to memory of 4024 4064 ed2d7b25bb360cccb4f0f6a4f8732d7a.exe winrecsv.exe PID 4064 wrote to memory of 4024 4064 ed2d7b25bb360cccb4f0f6a4f8732d7a.exe winrecsv.exe PID 4024 wrote to memory of 836 4024 winrecsv.exe 1811431440.exe PID 4024 wrote to memory of 836 4024 winrecsv.exe 1811431440.exe PID 4024 wrote to memory of 836 4024 winrecsv.exe 1811431440.exe PID 4024 wrote to memory of 3176 4024 winrecsv.exe 873529329.exe PID 4024 wrote to memory of 3176 4024 winrecsv.exe 873529329.exe PID 4024 wrote to memory of 3176 4024 winrecsv.exe 873529329.exe PID 3176 wrote to memory of 4424 3176 873529329.exe winrecsv.exe PID 3176 wrote to memory of 4424 3176 873529329.exe winrecsv.exe PID 3176 wrote to memory of 4424 3176 873529329.exe winrecsv.exe PID 4424 wrote to memory of 5072 4424 winrecsv.exe 255594601.exe PID 4424 wrote to memory of 5072 4424 winrecsv.exe 255594601.exe PID 4424 wrote to memory of 5072 4424 winrecsv.exe 255594601.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\winrecsv.exeC:\Windows\winrecsv.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\1811431440.exeC:\Users\Admin\AppData\Local\Temp\1811431440.exe3⤵
- Executes dropped EXE
PID:836 -
C:\Users\Admin\AppData\Local\Temp\873529329.exeC:\Users\Admin\AppData\Local\Temp\873529329.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\winrecsv.exeC:\Users\Admin\winrecsv.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\255594601.exeC:\Users\Admin\AppData\Local\Temp\255594601.exe5⤵
- Executes dropped EXE
PID:5072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD59e2f163c15ee457be1f51981985570a1
SHA14a191e6da4a85b915f285e758d0789d2ede3aff1
SHA256c7de55ddd548f4f268979e1f0c70ab0edb2566c0ce46b921ea281e1570abad82
SHA5124b3eae4a1df79ac8805f46d32daecdb54028d160a5056679d4478c08e7f8ff42df5f84f4b1fe2cb8b5f3574eae5b18a94ad865edfc4d314a51118316c907967d
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
6KB
MD5a475e43527d7dc7d6f2d23bad64fcc99
SHA1793a7625c0106d6cd79d060b4eec94e58530833e
SHA256f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA5124af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
295B
MD5736696f9732537ccfd22f6cbad731f13
SHA170257e67b17b634464320a3f0d78a4fed92cfc00
SHA25680bf82ec8153367a76a9622ff0142eb8bf8190a99b808065c6a005d6acd8194a
SHA512ec72199a9684e039cc4cb75c63fe434aecf3fda755f4d6c5945cbb499336b1c716d0984e7f6d4b374d51c02675a4a89a268d268c4f68cb19efc0c8a7ded074e5
-
Filesize
4KB
MD5a72ad0ec1a394454c6c2654f0e291487
SHA19d0c5570fb201977603a2e6186b91189fd6a771d
SHA2566db70cb72592840e1e02bcb68e98b531fdfe7d3d5da7ff5f7fb07caac1f5c96b
SHA5128ea95b75c20a491aef638e24085325394fc8c3d72b01796f877c4a19e487c556255dbba7dd000d1a9d6080bf965f50ccf0b5427ecb56cd42ce53d57630496114
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f