Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 09:38
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
75KB
-
MD5
ed2d7b25bb360cccb4f0f6a4f8732d7a
-
SHA1
6ffcc083956c5ac19826bdd87e12f87817ee837c
-
SHA256
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
-
SHA512
6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
SSDEEP
1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr
Malware Config
Extracted
phorphiex
http://185.215.113.66/twizt/
12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc
1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD
3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg
3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz
qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8
DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG
0xb899fC445a1b61Cdd62266795193203aa72351fE
LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7
r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1
TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5
t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy
AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX
bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY
bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky
bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v
Signatures
-
Processes:
winrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
winrecsv.exe85692162.exe625122879.exe1125717888.exeupdater.exepid process 896 winrecsv.exe 260 85692162.exe 4128 625122879.exe 2724 1125717888.exe 2344 updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
85692162.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 85692162.exe -
Processes:
winrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" tmp.exe -
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\winrecsv.exe tmp.exe File opened for modification C:\Windows\winrecsv.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
85692162.exepowershell.exepowershell.exepid process 260 85692162.exe 3300 powershell.exe 3300 powershell.exe 1476 powershell.exe 1476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
85692162.exepowershell.exedescription pid process Token: SeDebugPrivilege 260 85692162.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeIncreaseQuotaPrivilege 3300 powershell.exe Token: SeSecurityPrivilege 3300 powershell.exe Token: SeTakeOwnershipPrivilege 3300 powershell.exe Token: SeLoadDriverPrivilege 3300 powershell.exe Token: SeSystemProfilePrivilege 3300 powershell.exe Token: SeSystemtimePrivilege 3300 powershell.exe Token: SeProfSingleProcessPrivilege 3300 powershell.exe Token: SeIncBasePriorityPrivilege 3300 powershell.exe Token: SeCreatePagefilePrivilege 3300 powershell.exe Token: SeBackupPrivilege 3300 powershell.exe Token: SeRestorePrivilege 3300 powershell.exe Token: SeShutdownPrivilege 3300 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeSystemEnvironmentPrivilege 3300 powershell.exe Token: SeRemoteShutdownPrivilege 3300 powershell.exe Token: SeUndockPrivilege 3300 powershell.exe Token: SeManageVolumePrivilege 3300 powershell.exe Token: 33 3300 powershell.exe Token: 34 3300 powershell.exe Token: 35 3300 powershell.exe Token: 36 3300 powershell.exe Token: SeIncreaseQuotaPrivilege 3300 powershell.exe Token: SeSecurityPrivilege 3300 powershell.exe Token: SeTakeOwnershipPrivilege 3300 powershell.exe Token: SeLoadDriverPrivilege 3300 powershell.exe Token: SeSystemProfilePrivilege 3300 powershell.exe Token: SeSystemtimePrivilege 3300 powershell.exe Token: SeProfSingleProcessPrivilege 3300 powershell.exe Token: SeIncBasePriorityPrivilege 3300 powershell.exe Token: SeCreatePagefilePrivilege 3300 powershell.exe Token: SeBackupPrivilege 3300 powershell.exe Token: SeRestorePrivilege 3300 powershell.exe Token: SeShutdownPrivilege 3300 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeSystemEnvironmentPrivilege 3300 powershell.exe Token: SeRemoteShutdownPrivilege 3300 powershell.exe Token: SeUndockPrivilege 3300 powershell.exe Token: SeManageVolumePrivilege 3300 powershell.exe Token: 33 3300 powershell.exe Token: 34 3300 powershell.exe Token: 35 3300 powershell.exe Token: 36 3300 powershell.exe Token: SeIncreaseQuotaPrivilege 3300 powershell.exe Token: SeSecurityPrivilege 3300 powershell.exe Token: SeTakeOwnershipPrivilege 3300 powershell.exe Token: SeLoadDriverPrivilege 3300 powershell.exe Token: SeSystemProfilePrivilege 3300 powershell.exe Token: SeSystemtimePrivilege 3300 powershell.exe Token: SeProfSingleProcessPrivilege 3300 powershell.exe Token: SeIncBasePriorityPrivilege 3300 powershell.exe Token: SeCreatePagefilePrivilege 3300 powershell.exe Token: SeBackupPrivilege 3300 powershell.exe Token: SeRestorePrivilege 3300 powershell.exe Token: SeShutdownPrivilege 3300 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeSystemEnvironmentPrivilege 3300 powershell.exe Token: SeRemoteShutdownPrivilege 3300 powershell.exe Token: SeUndockPrivilege 3300 powershell.exe Token: SeManageVolumePrivilege 3300 powershell.exe Token: 33 3300 powershell.exe Token: 34 3300 powershell.exe Token: 35 3300 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
tmp.exewinrecsv.exe85692162.execmd.execmd.exe625122879.exe1125717888.exepowershell.exedescription pid process target process PID 4400 wrote to memory of 896 4400 tmp.exe winrecsv.exe PID 4400 wrote to memory of 896 4400 tmp.exe winrecsv.exe PID 4400 wrote to memory of 896 4400 tmp.exe winrecsv.exe PID 896 wrote to memory of 260 896 winrecsv.exe 85692162.exe PID 896 wrote to memory of 260 896 winrecsv.exe 85692162.exe PID 260 wrote to memory of 1388 260 85692162.exe cmd.exe PID 260 wrote to memory of 1388 260 85692162.exe cmd.exe PID 260 wrote to memory of 2544 260 85692162.exe cmd.exe PID 260 wrote to memory of 2544 260 85692162.exe cmd.exe PID 1388 wrote to memory of 3652 1388 cmd.exe reg.exe PID 1388 wrote to memory of 3652 1388 cmd.exe reg.exe PID 2544 wrote to memory of 3572 2544 cmd.exe schtasks.exe PID 2544 wrote to memory of 3572 2544 cmd.exe schtasks.exe PID 896 wrote to memory of 4128 896 winrecsv.exe 625122879.exe PID 896 wrote to memory of 4128 896 winrecsv.exe 625122879.exe PID 896 wrote to memory of 4128 896 winrecsv.exe 625122879.exe PID 4128 wrote to memory of 2724 4128 625122879.exe 1125717888.exe PID 4128 wrote to memory of 2724 4128 625122879.exe 1125717888.exe PID 2724 wrote to memory of 3300 2724 1125717888.exe powershell.exe PID 2724 wrote to memory of 3300 2724 1125717888.exe powershell.exe PID 2724 wrote to memory of 1476 2724 1125717888.exe powershell.exe PID 2724 wrote to memory of 1476 2724 1125717888.exe powershell.exe PID 1476 wrote to memory of 4356 1476 powershell.exe schtasks.exe PID 1476 wrote to memory of 4356 1476 powershell.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\winrecsv.exeC:\Windows\winrecsv.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\85692162.exeC:\Users\Admin\AppData\Local\Temp\85692162.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f5⤵PID:3652
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"4⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "User Configuration"5⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\625122879.exeC:\Users\Admin\AppData\Local\Temp\625122879.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\1125717888.exeC:\Users\Admin\AppData\Local\Temp\1125717888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵PID:4356
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Executes dropped EXE
PID:2344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
Filesize
1KB
MD5d0f3eff52698c0eab8a2c8bd1d9f7c18
SHA14292ae775443749c6c2281dac800d86b4bdde07e
SHA256b16c74cbb71b5ba7bbf32696feb6869d9a0fa3bac42042a3fe8f3d48e2d5dbf6
SHA512642b5d51a4cec6094e6789f29eb68885068583a08e102606b7ed2ace036cacd8b3bc428cef6f8cbfaadf5644fe52149211f7fc6774fc4ff458bd76cfae703cfd
-
Filesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
Filesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
2.2MB
MD5d081ded7aeebd495ea24b5531168f315
SHA121db4bae653ece87474e7121a8b60d9fd08208c9
SHA2566e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA51245dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f