phorphiex | 14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964

Analysis

max time kernel
28s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Size

381KB
MD5

d75424c803eb7d843e2569a972e2ecc1
SHA1

09978cd6a3c99d8e1dacda30a2b53602d4e73832
SHA256

14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964
SHA512

d3e8f610f079ce6af10aa17f81e87b871ccbad6492addca00bee2185ff937f2f2f99baead4fb8e26e2b167d5c28c390e5f4cead2b95f27f0badc392edc40114b
SSDEEP

6144:NYMBlUgPcOFgqw+0Rs7cqyEcuFIqjHiegfN5n:NYMlUVOFgBEcqjHQNV

Score

10^/10

phorphiex sality backdoor defense_evasion discovery loader persistence trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe

Modifies firewall policy service 3 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Phorphiex family
phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Windows security bypass 2 TTPs 13 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Executes dropped EXE 1 IoCs

pid	Process
1344	winsvcs.exe

Windows security modification 2 TTPs 16 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\6008004470706007\\winsvcs.exe"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\6008004470706007\\winsvcs.exe"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	winsvcs.exe
File opened (read-only)	\??\E:	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened (read-only)	\??\G:	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened (read-only)	\??\H:	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened (read-only)	\??\E:	winsvcs.exe
File opened (read-only)	\??\G:	winsvcs.exe
File opened (read-only)	\??\H:	winsvcs.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1932-1-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-6-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-4-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-8-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-3-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-5-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-11-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-14-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-7-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-15-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-16-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-17-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-18-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-19-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-20-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-23-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-26-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-28-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1932-37-0x00000000022B0000-0x000000000333E000-memory.dmp	upx
behavioral2/memory/1344-67-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-61-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-65-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-68-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-73-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-71-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-74-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-66-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-64-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-76-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-75-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-77-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-79-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-78-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-81-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-82-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1344-84-0x0000000003170000-0x00000000041FE000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\6008004470706007\winsvcs.exe	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened for modification	C:\Windows\6008004470706007\winsvcs.exe	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened for modification	C:\Windows\6008004470706007	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
File opened for modification	C:\Windows\SYSTEM.INI	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	1932	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
1344	winsvcs.exe
1344	winsvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Token: SeDebugPrivilege	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 780	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	9
PID 1932 wrote to memory of 784	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	10
PID 1932 wrote to memory of 1020	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	13
PID 1932 wrote to memory of 2672	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	44
PID 1932 wrote to memory of 2704	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	45
PID 1932 wrote to memory of 3016	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	52
PID 1932 wrote to memory of 3556	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	56
PID 1932 wrote to memory of 3684	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	57
PID 1932 wrote to memory of 3872	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	58
PID 1932 wrote to memory of 3968	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	59
PID 1932 wrote to memory of 2840	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	60
PID 1932 wrote to memory of 3808	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	61
PID 1932 wrote to memory of 4224	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	62
PID 1932 wrote to memory of 3956	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	74
PID 1932 wrote to memory of 3184	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	75
PID 1932 wrote to memory of 1936	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	76
PID 1932 wrote to memory of 3676	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	77
PID 1932 wrote to memory of 5084	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	82
PID 1932 wrote to memory of 3392	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	83
PID 1932 wrote to memory of 1344	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	91
PID 1932 wrote to memory of 1344	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	91
PID 1932 wrote to memory of 1344	1932	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe	91
PID 1344 wrote to memory of 780	1344	winsvcs.exe	9
PID 1344 wrote to memory of 784	1344	winsvcs.exe	10
PID 1344 wrote to memory of 1020	1344	winsvcs.exe	13
PID 1344 wrote to memory of 2672	1344	winsvcs.exe	44
PID 1344 wrote to memory of 2704	1344	winsvcs.exe	45
PID 1344 wrote to memory of 3016	1344	winsvcs.exe	52
PID 1344 wrote to memory of 3556	1344	winsvcs.exe	56
PID 1344 wrote to memory of 3684	1344	winsvcs.exe	57
PID 1344 wrote to memory of 3872	1344	winsvcs.exe	58
PID 1344 wrote to memory of 3968	1344	winsvcs.exe	59
PID 1344 wrote to memory of 2840	1344	winsvcs.exe	60
PID 1344 wrote to memory of 3808	1344	winsvcs.exe	61
PID 1344 wrote to memory of 4224	1344	winsvcs.exe	62
PID 1344 wrote to memory of 3956	1344	winsvcs.exe	74
PID 1344 wrote to memory of 3184	1344	winsvcs.exe	75
PID 1344 wrote to memory of 1936	1344	winsvcs.exe	76
PID 1344 wrote to memory of 3676	1344	winsvcs.exe	77
PID 1344 wrote to memory of 5084	1344	winsvcs.exe	82

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2704

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_6623297b20fa16eb42b992b6c55c53cd.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1932
- - C:\Windows\6008004470706007\winsvcs.exe
    C:\Windows\6008004470706007\winsvcs.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1068
    3⤵
    - Program crash
    PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4224

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3676

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:5084

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1932 -ip 1932
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\6008004470706007\winsvcs.exe

Filesize
381KB

MD5
d75424c803eb7d843e2569a972e2ecc1

SHA1
09978cd6a3c99d8e1dacda30a2b53602d4e73832

SHA256
14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964

SHA512
d3e8f610f079ce6af10aa17f81e87b871ccbad6492addca00bee2185ff937f2f2f99baead4fb8e26e2b167d5c28c390e5f4cead2b95f27f0badc392edc40114b

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
b57475ce3832156295dfba4abb9a5261

SHA1
31be84c385f6c0d7d919970f1d3b585896302ef0

SHA256
d48196bc4893a13bb4b1f31e7ccdcfa641fde49a7fce85616906bc0e78aca994

SHA512
19f0f9bbf6216d4f32d7f6887c83044861586fa199812bf9014d2835ea96e8a1eb62bc8054c01e414e569dfda90feeaab12b3cd38da78c1875c93a295ba4bd46

Download Submit
C:\yxog.exe

Filesize
100KB

MD5
e71235e55fee4104a5d7d343e274872f

SHA1
a6b7ba35a77084daa63c2700e1c804b417cfae8b

SHA256
177d3b1dedbcaf25b6c2e44f076e52e71e95246aa8613b9db1092204db901f56

SHA512
670a18df61d0f474bd8aa5f89f2b7117ff7393ee5e067265ccbb3172f85a2c3016cbf2899fb6d980c867ac8cb015e90043d178cdb56fff1fb8af1f2257ea5099

Download Submit
memory/1344-66-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-72-0x0000000004840000-0x0000000004842000-memory.dmp

Filesize
8KB

Download
memory/1344-78-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-79-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-77-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-75-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-76-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-82-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-64-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-84-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-70-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1344-81-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-74-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-71-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-73-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-68-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-65-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-61-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-67-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1344-62-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1344-56-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1344-57-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1932-7-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-15-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-37-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-52-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1932-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-28-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-26-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-23-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-24-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1932-20-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-19-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-18-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-17-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-16-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-34-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/1932-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1932-14-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-11-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-5-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-3-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-8-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-13-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/1932-4-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-6-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download
memory/1932-12-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/1932-9-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/1932-10-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1932-1-0x00000000022B0000-0x000000000333E000-memory.dmp

Filesize
16.6MB

Download