Analysis Overview
SHA256
4be45155e4f00c417a85688e2d31587ee82fe60dfc5c81a7c901ea703a179017
Threat Level: Known bad
The file a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Drops file in Windows directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-17 14:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-17 14:09
Reported
2022-08-17 14:11
Platform
win7-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3301420190.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\202557257.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\3301420190.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\3301420190.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\3301420190.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe
"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"
C:\Users\Admin\AppData\Local\Temp\3301420190.exe
C:\Users\Admin\AppData\Local\Temp\3301420190.exe
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\202557257.exe
C:\Users\Admin\AppData\Local\Temp\202557257.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| IR | 2.179.77.37:40500 | tcp | |
| VE | 200.44.238.138:40500 | udp | |
| IR | 77.42.52.141:40500 | udp | |
| UA | 93.175.220.40:40500 | udp | |
| IR | 2.178.76.82:40500 | udp | |
| IR | 2.190.183.251:40500 | udp | |
| IR | 2.186.231.230:40500 | udp | |
| IR | 37.254.50.176:40500 | tcp | |
| SY | 185.199.246.61:40500 | udp | |
| SY | 46.53.5.10:40500 | udp | |
| UZ | 62.209.138.180:40500 | udp | |
| UZ | 213.230.90.158:40500 | udp | |
| SY | 31.193.72.43:40500 | udp | |
| TW | 125.227.235.121:40500 | tcp | |
| AZ | 94.20.233.229:40500 | udp | |
| SY | 82.137.244.49:40500 | udp | |
| VE | 186.91.87.219:40500 | udp | |
| IR | 151.235.50.104:40500 | udp | |
| BY | 87.252.235.64:40500 | tcp | |
| UZ | 213.230.97.218:40500 | udp | |
| IR | 5.232.246.158:40500 | udp | |
| UZ | 217.12.85.22:40500 | udp |
Files
memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp
\Users\Admin\AppData\Local\Temp\3301420190.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\3301420190.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/900-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3301420190.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Users\Admin\AppData\Local\Temp\3301420190.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/584-61-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\202557257.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
memory/1584-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\202557257.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-17 14:09
Reported
2022-08-17 14:11
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2178432227.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\277568521.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\2178432227.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\2178432227.exe | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\2178432227.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe
"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"
C:\Users\Admin\AppData\Local\Temp\2178432227.exe
C:\Users\Admin\AppData\Local\Temp\2178432227.exe
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\277568521.exe
C:\Users\Admin\AppData\Local\Temp\277568521.exe
Network
| Country | Destination | Domain | Proto |
| US | 67.27.154.126:80 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 52.109.8.21:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 20.189.173.5:443 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| UZ | 213.230.80.12:40500 | udp | |
| IR | 185.214.37.104:40500 | tcp | |
| UZ | 213.230.71.238:40500 | udp | |
| US | 8.238.21.126:80 | tcp | |
| US | 8.238.21.126:80 | tcp | |
| US | 67.27.154.126:80 | tcp | |
| YE | 134.35.215.161:40500 | udp | |
| MZ | 197.158.36.119:40500 | udp | |
| YE | 94.26.206.78:40500 | tcp | |
| MY | 175.143.207.216:40500 | udp | |
| IR | 87.251.156.130:40500 | udp | |
| IR | 2.178.65.112:40500 | udp | |
| UZ | 213.230.90.158:40500 | udp | |
| IR | 37.202.252.100:40500 | udp | |
| IR | 89.219.197.206:40500 | tcp | |
| SY | 185.150.143.158:40500 | udp | |
| KZ | 37.151.137.140:40500 | udp | |
| IR | 91.185.128.43:40500 | udp | |
| PK | 221.120.207.101:40500 | udp | |
| UZ | 213.230.120.247:40500 | udp | |
| VE | 190.199.230.103:40500 | tcp | |
| VE | 201.243.153.142:40500 | udp | |
| IR | 5.233.212.22:40500 | udp | |
| MX | 201.97.72.149:40500 | udp | |
| UZ | 195.158.22.11:40500 | udp | |
| IN | 14.139.242.251:40500 | udp | |
| IR | 5.238.136.31:40500 | tcp | |
| AO | 155.89.240.217:40500 | udp | |
| UZ | 217.30.169.113:40500 | udp | |
| IR | 5.75.101.157:40500 | udp | |
| IR | 46.100.167.18:40500 | udp |
Files
memory/4016-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2178432227.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Users\Admin\AppData\Local\Temp\2178432227.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/4508-135-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/4880-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\277568521.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
C:\Users\Admin\AppData\Local\Temp\277568521.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |