Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 19:09
Static task
static1
Behavioral task
behavioral1
Sample
0e8c9629bb58ba41d3fd3c3028908912.exe
Resource
win7-20220812-en
General
-
Target
0e8c9629bb58ba41d3fd3c3028908912.exe
-
Size
6KB
-
MD5
0e8c9629bb58ba41d3fd3c3028908912
-
SHA1
f47ecc1619b25e50d3728358c17e97d3bddfe72e
-
SHA256
0c36cf74963333c9fec0b0501043eb38761b76b76946539f374c1c320a7a5dc9
-
SHA512
589fba6a17c38cb67b0d2d522abd73f0bc2c99b86f00b8a62ec1f99de5cf1c79bcb9600fa0f7c5456bab00b4e4e0199626fc7de05ad5894eb1adf00e1f3cd974
-
SSDEEP
96:e0Yl1t761bnd+l7aBc0PPtboynuYUBNCt:Jqt7YbK7sPP1oynfUBs
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Processes:
syswsvdrv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syswsvdrv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
311011162.exesyswsvdrv.exepid process 1868 311011162.exe 4740 syswsvdrv.exe -
Processes:
syswsvdrv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syswsvdrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syswsvdrv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
311011162.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syswsvdrv.exe" 311011162.exe -
Drops file in Windows directory 2 IoCs
Processes:
311011162.exedescription ioc process File created C:\Windows\syswsvdrv.exe 311011162.exe File opened for modification C:\Windows\syswsvdrv.exe 311011162.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0e8c9629bb58ba41d3fd3c3028908912.exe311011162.exedescription pid process target process PID 1436 wrote to memory of 1868 1436 0e8c9629bb58ba41d3fd3c3028908912.exe 311011162.exe PID 1436 wrote to memory of 1868 1436 0e8c9629bb58ba41d3fd3c3028908912.exe 311011162.exe PID 1436 wrote to memory of 1868 1436 0e8c9629bb58ba41d3fd3c3028908912.exe 311011162.exe PID 1868 wrote to memory of 4740 1868 311011162.exe syswsvdrv.exe PID 1868 wrote to memory of 4740 1868 311011162.exe syswsvdrv.exe PID 1868 wrote to memory of 4740 1868 311011162.exe syswsvdrv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e8c9629bb58ba41d3fd3c3028908912.exe"C:\Users\Admin\AppData\Local\Temp\0e8c9629bb58ba41d3fd3c3028908912.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\311011162.exeC:\Users\Admin\AppData\Local\Temp\311011162.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswsvdrv.exeC:\Windows\syswsvdrv.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\311011162.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Users\Admin\AppData\Local\Temp\311011162.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Windows\syswsvdrv.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
C:\Windows\syswsvdrv.exeFilesize
74KB
MD5024def417ae82e4c14a313a153d8984c
SHA1ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae
SHA25694e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
SHA5120f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400
-
memory/1868-132-0x0000000000000000-mapping.dmp
-
memory/4740-135-0x0000000000000000-mapping.dmp