Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 21:08
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
88KB
-
MD5
ababca6d12d96e8dd2f1d7114b406fae
-
SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32
-
SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
-
SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
SSDEEP
1536:wL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:c0poOfP6+JuEjaaKHK
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe -
Phorphiex payload 1 IoCs
Processes:
resource yara_rule C:\Windows\sysmablsvr.exe family_phorphiex -
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe -
Executes dropped EXE 3 IoCs
Processes:
sysmablsvr.exe1076329146.exe1185420511.exepid process 1724 sysmablsvr.exe 1096 1076329146.exe 3948 1185420511.exe -
Processes:
sysmablsvr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" file.exe -
Drops file in Windows directory 2 IoCs
Processes:
file.exedescription ioc process File opened for modification C:\Windows\sysmablsvr.exe file.exe File created C:\Windows\sysmablsvr.exe file.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
file.exesysmablsvr.exe1076329146.exe1185420511.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmablsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1076329146.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1185420511.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exesysmablsvr.exedescription pid process target process PID 4764 wrote to memory of 1724 4764 file.exe sysmablsvr.exe PID 4764 wrote to memory of 1724 4764 file.exe sysmablsvr.exe PID 4764 wrote to memory of 1724 4764 file.exe sysmablsvr.exe PID 1724 wrote to memory of 1096 1724 sysmablsvr.exe 1076329146.exe PID 1724 wrote to memory of 1096 1724 sysmablsvr.exe 1076329146.exe PID 1724 wrote to memory of 1096 1724 sysmablsvr.exe 1076329146.exe PID 1724 wrote to memory of 3948 1724 sysmablsvr.exe 1185420511.exe PID 1724 wrote to memory of 3948 1724 sysmablsvr.exe 1185420511.exe PID 1724 wrote to memory of 3948 1724 sysmablsvr.exe 1185420511.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\1076329146.exeC:\Users\Admin\AppData\Local\Temp\1076329146.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\1185420511.exeC:\Users\Admin\AppData\Local\Temp\1185420511.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58242045ff6b7bed00c8a94c77193f2de
SHA1ea6e335f88b9d14e722bff8298469fe0d6c17199
SHA2567217de31983e9e1e310d0bb28d8edc2f7d6e69f2abf32704b5ab74072ab48f74
SHA512de3fa7426d115ee96c5ff328d31a3de476742b1cf9c7956f56c675bc9e94c175db32aeff6235c59d37df51b3b0dac79e002a97527fa0e4d02eee3ba4c4c2a39c
-
Filesize
7KB
MD5ac0a159a6c219e2cea55dcc77ab6e337
SHA13e0e7c2e758dae61edf9f27860693a1910ba71aa
SHA256e97496328c0d205a7ecb4ade75c1555fc7787ec54334468739c5c5cfd6566b3c
SHA5124f29a8d75d71d553166f817474f316a80be4fb39d8b7b38336b172ad4c428bbc76b461ac02befca4b15ca42562cdb783a27b02d5eb8c1af2944e0d4e2acadc6a
-
Filesize
7KB
MD5cdc59ec342e22103257f213fed156807
SHA10b7f95ab9fa24a7cea2e34b9aff3845a8923f96f
SHA256ddf959ff63893ac8eb8ed9f877448072fe7b5fae741b3af3d5db5b06ac154678
SHA512e215e2933636df7b5eecd21dd64a90de8e06d5bc41ce71673263ec36073ad926c3d3f6910b969eccf8e02458b0d580248df3c07e01d6ba9e6b1f7b3f14a34bb1
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f