Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 12:43
Behavioral task
behavioral1
Sample
00623df2e344a8af515ce1c48b97541b.exe
Resource
win7-20220812-en
General
-
Target
00623df2e344a8af515ce1c48b97541b.exe
-
Size
75KB
-
MD5
00623df2e344a8af515ce1c48b97541b
-
SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
-
SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
-
SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
SSDEEP
1536:g53Mz8y5D0FLcNU33CxcuxrMhenfF3I8eeeeeeeeeeeeeeeeeeeWeeeee:BwLFLQs3vuxrPnfF3
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Processes:
sysagrsv.exesysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe -
Executes dropped EXE 5 IoCs
Processes:
sysagrsv.exe1621913090.exe1216712185.exesysagrsv.exe2039332891.exepid process 3776 sysagrsv.exe 4956 1621913090.exe 604 1216712185.exe 4612 sysagrsv.exe 3504 2039332891.exe -
Processes:
sysagrsv.exesysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
00623df2e344a8af515ce1c48b97541b.exe1216712185.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe" 00623df2e344a8af515ce1c48b97541b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysagrsv.exe" 1216712185.exe -
Drops file in Windows directory 3 IoCs
Processes:
00623df2e344a8af515ce1c48b97541b.exe1216712185.exedescription ioc process File created C:\Windows\sysagrsv.exe 00623df2e344a8af515ce1c48b97541b.exe File opened for modification C:\Windows\sysagrsv.exe 00623df2e344a8af515ce1c48b97541b.exe File created C:\Windows\sysagrsv.exe 1216712185.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
00623df2e344a8af515ce1c48b97541b.exesysagrsv.exe1216712185.exesysagrsv.exedescription pid process target process PID 3836 wrote to memory of 3776 3836 00623df2e344a8af515ce1c48b97541b.exe sysagrsv.exe PID 3836 wrote to memory of 3776 3836 00623df2e344a8af515ce1c48b97541b.exe sysagrsv.exe PID 3836 wrote to memory of 3776 3836 00623df2e344a8af515ce1c48b97541b.exe sysagrsv.exe PID 3776 wrote to memory of 4956 3776 sysagrsv.exe 1621913090.exe PID 3776 wrote to memory of 4956 3776 sysagrsv.exe 1621913090.exe PID 3776 wrote to memory of 4956 3776 sysagrsv.exe 1621913090.exe PID 3776 wrote to memory of 604 3776 sysagrsv.exe 1216712185.exe PID 3776 wrote to memory of 604 3776 sysagrsv.exe 1216712185.exe PID 3776 wrote to memory of 604 3776 sysagrsv.exe 1216712185.exe PID 604 wrote to memory of 4612 604 1216712185.exe sysagrsv.exe PID 604 wrote to memory of 4612 604 1216712185.exe sysagrsv.exe PID 604 wrote to memory of 4612 604 1216712185.exe sysagrsv.exe PID 4612 wrote to memory of 3504 4612 sysagrsv.exe 2039332891.exe PID 4612 wrote to memory of 3504 4612 sysagrsv.exe 2039332891.exe PID 4612 wrote to memory of 3504 4612 sysagrsv.exe 2039332891.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00623df2e344a8af515ce1c48b97541b.exe"C:\Users\Admin\AppData\Local\Temp\00623df2e344a8af515ce1c48b97541b.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysagrsv.exeC:\Windows\sysagrsv.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1621913090.exeC:\Users\Admin\AppData\Local\Temp\1621913090.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1216712185.exeC:\Users\Admin\AppData\Local\Temp\1216712185.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\sysagrsv.exeC:\Users\Admin\sysagrsv.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2039332891.exeC:\Users\Admin\AppData\Local\Temp\2039332891.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\1[1]Filesize
6KB
MD535e1609b5e653be9ff4740e5b24dff64
SHA15fad868f2b10d73f8189b144009dd19faf846a1a
SHA256cf9b08b51b1ac1a1819f6891135437eceda332bfdfab1ca6123081e5a0814ccc
SHA5127846d98e7fa7f34628128bf25ddabe83d6f966e94f7c3140852066d0f01be8d67dd2602897abbb45fba01cf8530a8138e57aace71216f466c02847193863305e
-
C:\Users\Admin\AppData\Local\Temp\1216712185.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Users\Admin\AppData\Local\Temp\1216712185.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Users\Admin\AppData\Local\Temp\1621913090.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\AppData\Local\Temp\1621913090.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\AppData\Local\Temp\2039332891.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\AppData\Local\Temp\2039332891.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Users\Admin\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Users\Admin\tbcmds.datFilesize
287B
MD59db6d96263b815fb8e0738323a94332a
SHA1cd82591930c91bcb65dc2dfc6673facd0e6e0dfa
SHA256fea26beea3999270022cb91f08a8f8f3ac6e25ad7440d0a8bbfc1c011caa0061
SHA512c8cece250d245c1c696378ef5fd9bbc8410d6b3f7bf66b7341d7c07b076f806c3a50098203f260e80119dfa25da4019cd44fb524334e5ff301c42743563aaff1
-
C:\Users\Admin\tbnds.datFilesize
4KB
MD542bfb79858b490367ee945daf35b7bb0
SHA1c3b03784c46e86071ac2d1d822b617e29d604b4a
SHA256a24b9a3e4f230be24811a4622c11d630d96948345e1798152ad6ecd769ebf50a
SHA51223b9bcf4cdb8ac75c1abba6cd27ed7c07090227ccb69e4979ed6685137771774ed0e161ebd6ea1fd10e768682497d93f4fa24749e808f396be2eb61a0d592691
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
memory/604-138-0x0000000000000000-mapping.dmp
-
memory/3504-145-0x0000000000000000-mapping.dmp
-
memory/3776-132-0x0000000000000000-mapping.dmp
-
memory/4612-141-0x0000000000000000-mapping.dmp
-
memory/4956-135-0x0000000000000000-mapping.dmp