Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 10:50
Behavioral task
behavioral1
Sample
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe
-
Size
62KB
-
MD5
9a8acd4b7119f050506bcaf22e4ddcb9
-
SHA1
d2a450504119fd5d5d54d925f5e1799e320e2c33
-
SHA256
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1
-
SHA512
c0cb3e704016376316ffe459595b07f13d3dea53b117845dd3c752c88a3d03829aacb695b589385e809fcecea0987f3c2a09295aaaae7e55a53f97a9ba0a8668
-
SSDEEP
1536:IzQjJuw3c6hqh1kJaJrNKx5tzzevaCpzqFFzWcXdqu7mOYhngYFD:eQduF60Q0X036aCBqXcY6tgYFD
Malware Config
Signatures
-
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x0000000000419000-memory.dmp family_phorphiex behavioral1/memory/2208-4-0x0000000000400000-0x0000000000419000-memory.dmp family_phorphiex -
Processes:
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe -
Processes:
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winupdsvcs.exe" 50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe"C:\Users\Admin\AppData\Local\Temp\50cc1437b22ae5b3fdf4ee19967b1f3478a42022ece7517e2441cfb57d784bb1.exe"1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
PID:2208