Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 17:08
Behavioral task
behavioral1
Sample
d16a1879e3be4eec83b18124ec5094ad.exe
Resource
win7-20240215-en
General
-
Target
d16a1879e3be4eec83b18124ec5094ad.exe
-
Size
104KB
-
MD5
d16a1879e3be4eec83b18124ec5094ad
-
SHA1
a79d93bf2350f2ce5c87741c7da0049f200d96b2
-
SHA256
6ff7acc55f48fa1726291f1ab56c939c66c600c9e98d92255055a38ab2093331
-
SHA512
33a34adbafbdc603ac7d9530337b44a46bad68046c68066c9c6970a5021f3e5a2e0e034bfb23232b9ca1d9dcafb4a33cc96c2906e229f8b7d69ce345db1d1c0c
-
SSDEEP
3072:Xl58BV2ZjooGTb5PjMdhS3KV3/jjKwcNHjo86r8X7FS8EFcv:158BIFveZjMrS3q3/jjKwcNHjo86r8r3
Malware Config
Signatures
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \13806394810512\smss.exe family_phorphiex -
Processes:
smss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" smss.exe -
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 1168 smss.exe -
Loads dropped DLL 1 IoCs
Processes:
d16a1879e3be4eec83b18124ec5094ad.exepid process 384 d16a1879e3be4eec83b18124ec5094ad.exe -
Processes:
smss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" smss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d16a1879e3be4eec83b18124ec5094ad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13806394810512\\smss.exe" d16a1879e3be4eec83b18124ec5094ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13806394810512\\smss.exe" d16a1879e3be4eec83b18124ec5094ad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d16a1879e3be4eec83b18124ec5094ad.exedescription pid process target process PID 384 wrote to memory of 1168 384 d16a1879e3be4eec83b18124ec5094ad.exe smss.exe PID 384 wrote to memory of 1168 384 d16a1879e3be4eec83b18124ec5094ad.exe smss.exe PID 384 wrote to memory of 1168 384 d16a1879e3be4eec83b18124ec5094ad.exe smss.exe PID 384 wrote to memory of 1168 384 d16a1879e3be4eec83b18124ec5094ad.exe smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16a1879e3be4eec83b18124ec5094ad.exe"C:\Users\Admin\AppData\Local\Temp\d16a1879e3be4eec83b18124ec5094ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384 -
C:\13806394810512\smss.exeC:\13806394810512\smss.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:1168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\13806394810512\smss.exeFilesize
104KB
MD5d16a1879e3be4eec83b18124ec5094ad
SHA1a79d93bf2350f2ce5c87741c7da0049f200d96b2
SHA2566ff7acc55f48fa1726291f1ab56c939c66c600c9e98d92255055a38ab2093331
SHA51233a34adbafbdc603ac7d9530337b44a46bad68046c68066c9c6970a5021f3e5a2e0e034bfb23232b9ca1d9dcafb4a33cc96c2906e229f8b7d69ce345db1d1c0c