Analysis
-
max time kernel
168s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-08-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
fe304e909fb1f67c4d9030fc74d0a2f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fe304e909fb1f67c4d9030fc74d0a2f1.exe
Resource
win10v2004-20220812-en
General
-
Target
fe304e909fb1f67c4d9030fc74d0a2f1.exe
-
Size
9KB
-
MD5
fe304e909fb1f67c4d9030fc74d0a2f1
-
SHA1
1102fb973b3b83bbd5749db3ceb9405443c09dfe
-
SHA256
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
-
SHA512
46f797b30affdc7bc2291b2b1fb064246a7aa2359072380468abce1423b338859c0ad45b02c2dc5623d167ef51c65414e06890c7c9dfe4b9e305a0b70257f1aa
-
SSDEEP
192:oeJbEZ11AsLvRP1oynfUOMNc1Fu669tk2Hv:BJwZ11T51BUOMNqF96s
Malware Config
Extracted
phorphiex
http://185.215.113.66/twizt/
12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc
1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD
3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg
3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz
qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8
DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG
0xb899fC445a1b61Cdd62266795193203aa72351fE
LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7
r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1
TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5
t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy
AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX
bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY
bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky
bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v
Signatures
-
Processes:
winrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
112782121.scrwinrecsv.exe1383720200.exepid process 1404 112782121.scr 688 winrecsv.exe 768 1383720200.exe -
Loads dropped DLL 3 IoCs
Processes:
fe304e909fb1f67c4d9030fc74d0a2f1.exewinrecsv.exepid process 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 688 winrecsv.exe -
Processes:
winrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
112782121.scrdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" 112782121.scr -
Drops file in Windows directory 2 IoCs
Processes:
112782121.scrdescription ioc process File created C:\Windows\winrecsv.exe 112782121.scr File opened for modification C:\Windows\winrecsv.exe 112782121.scr -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fe304e909fb1f67c4d9030fc74d0a2f1.exe112782121.scrwinrecsv.exedescription pid process target process PID 1224 wrote to memory of 1404 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 112782121.scr PID 1224 wrote to memory of 1404 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 112782121.scr PID 1224 wrote to memory of 1404 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 112782121.scr PID 1224 wrote to memory of 1404 1224 fe304e909fb1f67c4d9030fc74d0a2f1.exe 112782121.scr PID 1404 wrote to memory of 688 1404 112782121.scr winrecsv.exe PID 1404 wrote to memory of 688 1404 112782121.scr winrecsv.exe PID 1404 wrote to memory of 688 1404 112782121.scr winrecsv.exe PID 1404 wrote to memory of 688 1404 112782121.scr winrecsv.exe PID 688 wrote to memory of 768 688 winrecsv.exe 1383720200.exe PID 688 wrote to memory of 768 688 winrecsv.exe 1383720200.exe PID 688 wrote to memory of 768 688 winrecsv.exe 1383720200.exe PID 688 wrote to memory of 768 688 winrecsv.exe 1383720200.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\112782121.scrC:\Users\Admin\AppData\Local\Temp\112782121.scr2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\winrecsv.exeC:\Windows\winrecsv.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Local\Temp\1383720200.exeC:\Users\Admin\AppData\Local\Temp\1383720200.exe4⤵
- Executes dropped EXE
PID:768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
6KB
MD58f56f0f0c9a4aa6c0bda072d8bf7c769
SHA124a01d3502c3bfebfb052afadb0367b1407342ff
SHA2564433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4
SHA5128be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
6KB
MD58f56f0f0c9a4aa6c0bda072d8bf7c769
SHA124a01d3502c3bfebfb052afadb0367b1407342ff
SHA2564433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4
SHA5128be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a