Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-01-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
e085c86990a0c1bd74cc290eaef3144f.exe
Resource
win7-20220812-en
General
-
Target
e085c86990a0c1bd74cc290eaef3144f.exe
-
Size
6KB
-
MD5
e085c86990a0c1bd74cc290eaef3144f
-
SHA1
1ad534abb623d127685f6a4dd7e1fdd751940e52
-
SHA256
78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
-
SHA512
5cf35ea9b791503a181f5cee5db2dad261cf42368932ebbe3a8d7d214368f5493fc2f663ab900ae4e6247114334c79662eaec0b0d03f2e0e2799feba1c1cc783
-
SSDEEP
96:ebd1t761bndKil7aBcxu0PtboynuYUBtCt:8t7Yb975u0P1oynfUBM
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Processes:
syswsvdrv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syswsvdrv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
2479230187.exesyswsvdrv.exe146885537.exeWindows Security Updates.exeWindows Security Updates.exeWindows Security Updates.exepid process 908 2479230187.exe 268 syswsvdrv.exe 656 146885537.exe 1120 Windows Security Updates.exe 1640 Windows Security Updates.exe 1800 Windows Security Updates.exe -
Loads dropped DLL 6 IoCs
Processes:
e085c86990a0c1bd74cc290eaef3144f.exesyswsvdrv.exe146885537.exepid process 1792 e085c86990a0c1bd74cc290eaef3144f.exe 1792 e085c86990a0c1bd74cc290eaef3144f.exe 268 syswsvdrv.exe 656 146885537.exe 656 146885537.exe 656 146885537.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
syswsvdrv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syswsvdrv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2479230187.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syswsvdrv.exe" 2479230187.exe -
Drops file in Windows directory 2 IoCs
Processes:
2479230187.exedescription ioc process File created C:\Windows\syswsvdrv.exe 2479230187.exe File opened for modification C:\Windows\syswsvdrv.exe 2479230187.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
e085c86990a0c1bd74cc290eaef3144f.exe2479230187.exesyswsvdrv.exe146885537.exedescription pid process target process PID 1792 wrote to memory of 908 1792 e085c86990a0c1bd74cc290eaef3144f.exe 2479230187.exe PID 1792 wrote to memory of 908 1792 e085c86990a0c1bd74cc290eaef3144f.exe 2479230187.exe PID 1792 wrote to memory of 908 1792 e085c86990a0c1bd74cc290eaef3144f.exe 2479230187.exe PID 1792 wrote to memory of 908 1792 e085c86990a0c1bd74cc290eaef3144f.exe 2479230187.exe PID 908 wrote to memory of 268 908 2479230187.exe syswsvdrv.exe PID 908 wrote to memory of 268 908 2479230187.exe syswsvdrv.exe PID 908 wrote to memory of 268 908 2479230187.exe syswsvdrv.exe PID 908 wrote to memory of 268 908 2479230187.exe syswsvdrv.exe PID 268 wrote to memory of 656 268 syswsvdrv.exe 146885537.exe PID 268 wrote to memory of 656 268 syswsvdrv.exe 146885537.exe PID 268 wrote to memory of 656 268 syswsvdrv.exe 146885537.exe PID 268 wrote to memory of 656 268 syswsvdrv.exe 146885537.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1120 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1640 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe PID 656 wrote to memory of 1800 656 146885537.exe Windows Security Updates.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e085c86990a0c1bd74cc290eaef3144f.exe"C:\Users\Admin\AppData\Local\Temp\e085c86990a0c1bd74cc290eaef3144f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2479230187.exeC:\Users\Admin\AppData\Local\Temp\2479230187.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswsvdrv.exeC:\Windows\syswsvdrv.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\146885537.exeC:\Users\Admin\AppData\Local\Temp\146885537.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\146885537.exeFilesize
6KB
MD52a5dabdfbfac8e72189748ec204d3d7c
SHA1e11015e684fe8998c350c507c105cb5752298515
SHA256b45e02bdfabecfe7dfaa005af42b4500fe940bbfc8a1f7d6e9b242042a2e9618
SHA51219ff2cf0f8eec341c50deb15fe24009b04e9c8f3ae71c9a61eb3fe567910035bdaf86e31993d388cab2c3c6648d24723469016333cbff932e20a330bc64ad312
-
C:\Users\Admin\AppData\Local\Temp\2479230187.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Users\Admin\AppData\Local\Temp\2479230187.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
C:\Windows\syswsvdrv.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Windows\syswsvdrv.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
\Users\Admin\AppData\Local\Temp\146885537.exeFilesize
6KB
MD52a5dabdfbfac8e72189748ec204d3d7c
SHA1e11015e684fe8998c350c507c105cb5752298515
SHA256b45e02bdfabecfe7dfaa005af42b4500fe940bbfc8a1f7d6e9b242042a2e9618
SHA51219ff2cf0f8eec341c50deb15fe24009b04e9c8f3ae71c9a61eb3fe567910035bdaf86e31993d388cab2c3c6648d24723469016333cbff932e20a330bc64ad312
-
\Users\Admin\AppData\Local\Temp\2479230187.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
\Users\Admin\AppData\Local\Temp\2479230187.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exeFilesize
17KB
MD52a0e14fc516e18e7e6bbc7cafa576d3c
SHA12e48a7064c9d28176a1e89ac597fb3a8c3bbb466
SHA256683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be
SHA512176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978
-
memory/268-61-0x0000000000000000-mapping.dmp
-
memory/656-66-0x0000000000000000-mapping.dmp
-
memory/908-57-0x0000000000000000-mapping.dmp
-
memory/1120-70-0x0000000000000000-mapping.dmp
-
memory/1640-73-0x0000000000000000-mapping.dmp
-
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/1800-76-0x0000000000000000-mapping.dmp