Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 12:46
Behavioral task
behavioral1
Sample
a21c6fb746c2eb524c86361adc2d580e.exe
Resource
win7-20221111-en
General
-
Target
a21c6fb746c2eb524c86361adc2d580e.exe
-
Size
77KB
-
MD5
a21c6fb746c2eb524c86361adc2d580e
-
SHA1
b4011c7af9fe49fd2ba69264cd812fbf7472b27c
-
SHA256
c57a898f765280e3f0ad6d6fa944c6e2c19838e9cf4389be1782c0a86706b849
-
SHA512
6cd026c4452230fb4cc8357bfd66afaeffc65b4505d0b52ccda62e369dc4cfed54097949959fa469a29db951bea88976e99fe49ce5571f7a4760fe905511295d
-
SSDEEP
1536:gp3Mz8cRSqgcP53FGFdaNmnQ4EEi+HfFyeeeeeeeeeeeeeeeeeeeWeeeee:VwVM16QdV2fF
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Processes:
syserdsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syserdsvc.exe -
Executes dropped EXE 2 IoCs
Processes:
syserdsvc.exe688416549.exepid process 956 syserdsvc.exe 280 688416549.exe -
Loads dropped DLL 1 IoCs
Processes:
syserdsvc.exepid process 956 syserdsvc.exe -
Processes:
syserdsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syserdsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syserdsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a21c6fb746c2eb524c86361adc2d580e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syserdsvc.exe" a21c6fb746c2eb524c86361adc2d580e.exe -
Drops file in Windows directory 2 IoCs
Processes:
a21c6fb746c2eb524c86361adc2d580e.exedescription ioc process File opened for modification C:\Windows\syserdsvc.exe a21c6fb746c2eb524c86361adc2d580e.exe File created C:\Windows\syserdsvc.exe a21c6fb746c2eb524c86361adc2d580e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a21c6fb746c2eb524c86361adc2d580e.exesyserdsvc.exedescription pid process target process PID 960 wrote to memory of 956 960 a21c6fb746c2eb524c86361adc2d580e.exe syserdsvc.exe PID 960 wrote to memory of 956 960 a21c6fb746c2eb524c86361adc2d580e.exe syserdsvc.exe PID 960 wrote to memory of 956 960 a21c6fb746c2eb524c86361adc2d580e.exe syserdsvc.exe PID 960 wrote to memory of 956 960 a21c6fb746c2eb524c86361adc2d580e.exe syserdsvc.exe PID 956 wrote to memory of 280 956 syserdsvc.exe 688416549.exe PID 956 wrote to memory of 280 956 syserdsvc.exe 688416549.exe PID 956 wrote to memory of 280 956 syserdsvc.exe 688416549.exe PID 956 wrote to memory of 280 956 syserdsvc.exe 688416549.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a21c6fb746c2eb524c86361adc2d580e.exe"C:\Users\Admin\AppData\Local\Temp\a21c6fb746c2eb524c86361adc2d580e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\syserdsvc.exeC:\Windows\syserdsvc.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\688416549.exeC:\Users\Admin\AppData\Local\Temp\688416549.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\688416549.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Windows\syserdsvc.exeFilesize
77KB
MD5a21c6fb746c2eb524c86361adc2d580e
SHA1b4011c7af9fe49fd2ba69264cd812fbf7472b27c
SHA256c57a898f765280e3f0ad6d6fa944c6e2c19838e9cf4389be1782c0a86706b849
SHA5126cd026c4452230fb4cc8357bfd66afaeffc65b4505d0b52ccda62e369dc4cfed54097949959fa469a29db951bea88976e99fe49ce5571f7a4760fe905511295d
-
C:\Windows\syserdsvc.exeFilesize
77KB
MD5a21c6fb746c2eb524c86361adc2d580e
SHA1b4011c7af9fe49fd2ba69264cd812fbf7472b27c
SHA256c57a898f765280e3f0ad6d6fa944c6e2c19838e9cf4389be1782c0a86706b849
SHA5126cd026c4452230fb4cc8357bfd66afaeffc65b4505d0b52ccda62e369dc4cfed54097949959fa469a29db951bea88976e99fe49ce5571f7a4760fe905511295d
-
\Users\Admin\AppData\Local\Temp\688416549.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
memory/280-60-0x0000000000000000-mapping.dmp
-
memory/956-55-0x0000000000000000-mapping.dmp
-
memory/960-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB