Analysis Overview
SHA256
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Threat Level: Known bad
The file a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Phorphiex
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Windows security modification
Adds Run key to start application
Drops file in Windows directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-22 10:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-22 10:17
Reported
2022-08-22 10:19
Platform
win7-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\915211631.scr | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\915211631.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\915211631.scr | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\915211631.scr | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"
C:\Users\Admin\AppData\Local\Temp\915211631.scr
C:\Users\Admin\AppData\Local\Temp\915211631.scr
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| PK | 39.53.112.230:40500 | tcp | |
| UA | 31.170.155.238:40500 | udp | |
| UZ | 213.230.97.32:40500 | udp | |
| KZ | 95.56.89.135:40500 | udp | |
| IR | 188.211.85.31:40500 | udp | |
| UA | 93.76.157.8:40500 | udp | |
| GH | 196.175.1.52:40500 | tcp | |
| UZ | 217.30.170.9:40500 | udp | |
| IR | 188.215.220.104:40500 | udp | |
| IR | 2.180.53.112:40500 | udp | |
| IR | 31.59.137.132:40500 | tcp | |
| AZ | 109.127.17.122:40500 | udp | |
| UZ | 213.230.90.158:40500 | udp | |
| US | 69.67.151.86:40500 | udp | |
| VE | 201.243.153.142:40500 | udp | |
| ID | 111.94.53.251:40500 | udp | |
| IR | 93.118.121.92:40500 | tcp | |
| TJ | 79.170.184.222:40500 | udp | |
| IR | 37.254.70.57:40500 | udp | |
| RU | 37.20.208.89:40500 | udp | |
| PK | 119.158.120.235:40500 | udp |
Files
memory/1504-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
\Users\Admin\AppData\Local\Temp\915211631.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\915211631.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Users\Admin\AppData\Local\Temp\915211631.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/1696-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\915211631.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/1208-61-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-22 10:17
Reported
2022-08-22 10:19
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 460 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | C:\Users\Admin\AppData\Local\Temp\2293823999.scr |
| PID 460 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | C:\Users\Admin\AppData\Local\Temp\2293823999.scr |
| PID 460 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe | C:\Users\Admin\AppData\Local\Temp\2293823999.scr |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | C:\Windows\winrecsv.exe |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | C:\Windows\winrecsv.exe |
| PID 2408 wrote to memory of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\2293823999.scr | C:\Windows\winrecsv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe
"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"
C:\Users\Admin\AppData\Local\Temp\2293823999.scr
C:\Users\Admin\AppData\Local\Temp\2293823999.scr
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 20.42.73.27:443 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| KG | 31.186.54.5:40500 | udp | |
| IR | 77.42.78.120:40500 | tcp | |
| AM | 46.71.107.63:40500 | udp | |
| US | 13.107.4.50:80 | tcp | |
| SY | 185.194.125.197:40500 | udp | |
| IR | 80.210.24.47:40500 | udp | |
| UZ | 195.158.14.139:40500 | udp | |
| PK | 39.53.175.125:40500 | udp | |
| YE | 46.35.68.30:40500 | tcp | |
| IN | 14.139.242.251:40500 | udp | |
| KZ | 95.59.235.26:40500 | udp | |
| IR | 2.182.9.184:40500 | udp | |
| DZ | 105.106.149.0:40500 | udp | |
| MX | 187.205.140.68:40500 | udp | |
| KZ | 92.47.35.158:40500 | tcp | |
| AO | 154.118.198.100:40500 | udp | |
| TJ | 185.177.0.183:40500 | udp | |
| VN | 14.253.89.170:40500 | udp | |
| PK | 182.183.161.108:40500 | udp | |
| KZ | 88.204.242.226:40500 | udp | |
| IR | 80.191.192.113:40500 | tcp | |
| IR | 217.219.198.230:40500 | udp | |
| IR | 31.56.184.183:40500 | udp | |
| MX | 189.175.148.121:40500 | udp | |
| AZ | 109.127.17.122:40500 | udp | |
| MX | 189.149.15.5:40500 | udp | |
| YE | 134.35.149.225:40500 | tcp | |
| KZ | 92.47.35.158:40500 | udp | |
| KG | 212.112.115.77:40500 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\2293823999.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/2408-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2293823999.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/4360-135-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |