phorphiex | 9a29568fb06b15f7a2f3f89474c27141965b0cf824c4cfbd9e2a97585fd1de1e

General

Target

Photo-125-137.jpg.scr

Score

10^/10

phorphiex evasion loader persistence ransomware trojan worm

Malware Config

Extracted

Path

C:\7129197363678\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XPQSTVXY 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?XPQSTVXY

http://helpqvrg3cc5mvb3.onion/

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

16667.exewinsvcs.exe1137032943.exe

pid process

3920 16667.exe
2148 winsvcs.exe
3828 1137032943.exe

pid	process
3920	16667.exe
2148	winsvcs.exe
3828	1137032943.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16667.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

1137032943.exe

description ioc process

File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 1137032943.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1137032943.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1137032943.exe

description	ioc	process
File opened (read-only)	\??\F:	1137032943.exe
File opened (read-only)	\??\L:	1137032943.exe
File opened (read-only)	\??\Z:	1137032943.exe
File opened (read-only)	\??\Y:	1137032943.exe
File opened (read-only)	\??\U:	1137032943.exe
File opened (read-only)	\??\S:	1137032943.exe
File opened (read-only)	\??\P:	1137032943.exe
File opened (read-only)	\??\V:	1137032943.exe
File opened (read-only)	\??\B:	1137032943.exe
File opened (read-only)	\??\N:	1137032943.exe
File opened (read-only)	\??\M:	1137032943.exe
File opened (read-only)	\??\W:	1137032943.exe
File opened (read-only)	\??\E:	1137032943.exe
File opened (read-only)	\??\O:	1137032943.exe
File opened (read-only)	\??\A:	1137032943.exe
File opened (read-only)	\??\G:	1137032943.exe
File opened (read-only)	\??\K:	1137032943.exe
File opened (read-only)	\??\X:	1137032943.exe
File opened (read-only)	\??\Q:	1137032943.exe
File opened (read-only)	\??\R:	1137032943.exe
File opened (read-only)	\??\T:	1137032943.exe
File opened (read-only)	\??\I:	1137032943.exe
File opened (read-only)	\??\H:	1137032943.exe
File opened (read-only)	\??\J:	1137032943.exe

Drops file in Program Files directory 554 IoCs

Processes:

1137032943.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\win_x64\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1137032943.exe
File created	C:\Program Files\Common Files\System\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	1137032943.exe
File created	C:\Program Files\Internet Explorer\images\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\AssertMove.aifc	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	1137032943.exe

Suspicious behavior: EnumeratesProcesses 710 IoCs

Processes:

1137032943.exe

pid	process
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Photo-125-137.jpg.scr16667.exewinsvcs.exe

description	pid	process	target process
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	cmd.exe
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	cmd.exe
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	cmd.exe
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	16667.exe
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	16667.exe
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	16667.exe
PID 3920 wrote to memory of 2148	3920	16667.exe	winsvcs.exe
PID 3920 wrote to memory of 2148	3920	16667.exe	winsvcs.exe
PID 3920 wrote to memory of 2148	3920	16667.exe	winsvcs.exe
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	1137032943.exe
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	1137032943.exe
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	1137032943.exe

C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr
"C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\39383.jpg
2⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\16667.exe
C:\Users\Admin\AppData\Local\Temp\16667.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920

C:\7129197363678\winsvcs.exe
C:\7129197363678\winsvcs.exe
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\1137032943.exe
C:\Users\Admin\AppData\Local\Temp\1137032943.exe
4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7129197363678\winsvcs.exe
MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\7129197363678\winsvcs.exe
MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1137032943.exe
MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\1137032943.exe
MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\16667.exe
MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\16667.exe
MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\39383.jpg
MD5
848278f126f6de8d52622f8436985d77

SHA1
b18ff66c0b66156fc9daf2b30cab31bb646d4542

SHA256
4eef0a6a4c06affa87e1a215fe7fbfe5125e1523391cd703b17b4c611e63ea4b

SHA512
611b206e2ef1a37baddb7516a143028188ba2cff8af0238946b5eea237965561566080672467fe5b7addaede509b8ce920e61066a023bb7e255e70e01c33fb05

Download Submit
memory/2148-4-0x0000000000000000-mapping.dmp

Download
memory/3584-0-0x0000000000000000-mapping.dmp

Download
memory/3828-7-0x0000000000000000-mapping.dmp

Download
memory/3828-13-0x0000000005390000-0x0000000005461000-memory.dmp

Filesize
836KB

Download
memory/3920-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads