Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 12:38
Behavioral task
behavioral1
Sample
e1af1ba1edb943b838456f57bd564d01.exe
Resource
win7-20240221-en
General
-
Target
e1af1ba1edb943b838456f57bd564d01.exe
-
Size
105KB
-
MD5
e1af1ba1edb943b838456f57bd564d01
-
SHA1
489760f1f57a35591020f1f82e54740d76fa97e7
-
SHA256
042fb580d253d7525231cbe7a2fb30f931c8a59bb51115e98fba3fe1d2f48a29
-
SHA512
982417c1f742e2624c1da543058ccb2b3e9b5f46cedcbba242d13717a2f6c56cd186ba186767542bf68e0e38d0894b3ac027874f33f5bd5a94c3dac542916155
-
SSDEEP
3072:gEbJSw745FIlbt/d6WruEPJZDTS7MJCAc2BEUzWndAstTIgFpW:rbJSgkkcWruEhZDTS7MJCAc2BEUzWndw
Malware Config
Signatures
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \2917090593118\lsass.exe family_phorphiex -
Processes:
lsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe -
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 2672 lsass.exe -
Loads dropped DLL 1 IoCs
Processes:
e1af1ba1edb943b838456f57bd564d01.exepid process 2144 e1af1ba1edb943b838456f57bd564d01.exe -
Processes:
lsass.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e1af1ba1edb943b838456f57bd564d01.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2917090593118\\lsass.exe" e1af1ba1edb943b838456f57bd564d01.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2917090593118\\lsass.exe" e1af1ba1edb943b838456f57bd564d01.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e1af1ba1edb943b838456f57bd564d01.exedescription pid process target process PID 2144 wrote to memory of 2672 2144 e1af1ba1edb943b838456f57bd564d01.exe lsass.exe PID 2144 wrote to memory of 2672 2144 e1af1ba1edb943b838456f57bd564d01.exe lsass.exe PID 2144 wrote to memory of 2672 2144 e1af1ba1edb943b838456f57bd564d01.exe lsass.exe PID 2144 wrote to memory of 2672 2144 e1af1ba1edb943b838456f57bd564d01.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1af1ba1edb943b838456f57bd564d01.exe"C:\Users\Admin\AppData\Local\Temp\e1af1ba1edb943b838456f57bd564d01.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\2917090593118\lsass.exeC:\2917090593118\lsass.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\2917090593118\lsass.exeFilesize
105KB
MD5e1af1ba1edb943b838456f57bd564d01
SHA1489760f1f57a35591020f1f82e54740d76fa97e7
SHA256042fb580d253d7525231cbe7a2fb30f931c8a59bb51115e98fba3fe1d2f48a29
SHA512982417c1f742e2624c1da543058ccb2b3e9b5f46cedcbba242d13717a2f6c56cd186ba186767542bf68e0e38d0894b3ac027874f33f5bd5a94c3dac542916155