Analysis Overview
SHA256
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Threat Level: Known bad
The file fe304e909fb1f67c4d9030fc74d0a2f1.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex
Windows security bypass
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Drops file in Windows directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-31 00:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-31 00:13
Reported
2022-08-31 00:17
Platform
win7-20220812-en
Max time kernel
168s
Max time network
177s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\112782121.scr | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1383720200.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe | N/A |
| N/A | N/A | C:\Windows\winrecsv.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\winrecsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\winrecsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" | C:\Users\Admin\AppData\Local\Temp\112782121.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\112782121.scr | N/A |
| File opened for modification | C:\Windows\winrecsv.exe | C:\Users\Admin\AppData\Local\Temp\112782121.scr | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe
"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"
C:\Users\Admin\AppData\Local\Temp\112782121.scr
C:\Users\Admin\AppData\Local\Temp\112782121.scr
C:\Windows\winrecsv.exe
C:\Windows\winrecsv.exe
C:\Users\Admin\AppData\Local\Temp\1383720200.exe
C:\Users\Admin\AppData\Local\Temp\1383720200.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| KZ | 46.36.144.91:40500 | tcp | |
| MX | 187.154.19.149:40500 | udp | |
| IR | 31.56.12.211:40500 | udp | |
| UZ | 213.230.97.218:40500 | udp | |
| IR | 5.235.169.44:40500 | udp | |
| N/A | 100.93.129.203:40500 | udp | |
| RU | 176.194.22.84:40500 | tcp | |
| RU | 176.194.22.84:40500 | udp | |
| AO | 154.65.146.137:40500 | udp | |
| UZ | 213.230.111.166:40500 | udp | |
| IR | 78.38.107.89:40500 | udp | |
| UZ | 89.236.200.152:40500 | udp | |
| RU | 2.94.40.191:40500 | tcp | |
| UZ | 94.141.69.160:40500 | udp | |
| IR | 5.75.77.231:40500 | udp | |
| BO | 190.129.1.154:40500 | udp |
Files
memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp
\Users\Admin\AppData\Local\Temp\112782121.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\112782121.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/1404-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\112782121.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Users\Admin\AppData\Local\Temp\112782121.scr
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
memory/688-61-0x0000000000000000-mapping.dmp
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
C:\Windows\winrecsv.exe
| MD5 | ed2d7b25bb360cccb4f0f6a4f8732d7a |
| SHA1 | 6ffcc083956c5ac19826bdd87e12f87817ee837c |
| SHA256 | 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 |
| SHA512 | 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f |
\Users\Admin\AppData\Local\Temp\1383720200.exe
| MD5 | 8f56f0f0c9a4aa6c0bda072d8bf7c769 |
| SHA1 | 24a01d3502c3bfebfb052afadb0367b1407342ff |
| SHA256 | 4433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4 |
| SHA512 | 8be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a |
memory/768-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1383720200.exe
| MD5 | 8f56f0f0c9a4aa6c0bda072d8bf7c769 |
| SHA1 | 24a01d3502c3bfebfb052afadb0367b1407342ff |
| SHA256 | 4433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4 |
| SHA512 | 8be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-31 00:13
Reported
2022-08-31 00:17
Platform
win10v2004-20220812-en
Max time kernel
169s
Max time network
181s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe
"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp | |
| RU | 185.215.113.66:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| NL | 87.248.202.1:80 | tcp |