phorphiex | 1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402

General

Target

a.scr
Size

15KB
MD5

ba74a7cb5a12d713229105df94a9e418
SHA1

c128af146a1f7ed27d702aa6ad7600d7ca3510cb
SHA256

1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402
SHA512

897c3906884ec1c836831308d023fc06e3b9aa92e8ef0fe8692d66f2965fce45d63eca2a936e5a6672a28fefa4b52ae0812eacfe3b27526509a19d105aba6eee

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

24857.exewinsvcs.exe

pid process

332 24857.exe
872 winsvcs.exe
Loads dropped DLL 2 IoCs

Processes:

a.scr24857.exe

pid process

1936 a.scr
332 24857.exe

pid	process
332	24857.exe
872	winsvcs.exe

pid	process
1936	a.scr
332	24857.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24857.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\65971246227968\\winsvcs.exe"	24857.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\65971246227968\\winsvcs.exe"	24857.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1536 DllHost.exe

pid	process
1536	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a.scr24857.exe

description	pid	process	target process
PID 1936 wrote to memory of 436	1936	a.scr	cmd.exe
PID 1936 wrote to memory of 436	1936	a.scr	cmd.exe
PID 1936 wrote to memory of 436	1936	a.scr	cmd.exe
PID 1936 wrote to memory of 436	1936	a.scr	cmd.exe
PID 1936 wrote to memory of 332	1936	a.scr	24857.exe
PID 1936 wrote to memory of 332	1936	a.scr	24857.exe
PID 1936 wrote to memory of 332	1936	a.scr	24857.exe
PID 1936 wrote to memory of 332	1936	a.scr	24857.exe
PID 332 wrote to memory of 872	332	24857.exe	winsvcs.exe
PID 332 wrote to memory of 872	332	24857.exe	winsvcs.exe
PID 332 wrote to memory of 872	332	24857.exe	winsvcs.exe
PID 332 wrote to memory of 872	332	24857.exe	winsvcs.exe

C:\Users\Admin\AppData\Local\Temp\a.scr
"C:\Users\Admin\AppData\Local\Temp\a.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\33427.jpg
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\24857.exe
  C:\Users\Admin\AppData\Local\Temp\24857.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\65971246227968\winsvcs.exe
    C:\65971246227968\winsvcs.exe
    3⤵
    - Executes dropped EXE
    - Windows security modification
    PID:872

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\65971246227968\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\65971246227968\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\24857.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\24857.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\33427.jpg

MD5
a603d35899017876f5cbea46dbf223d4

SHA1
bbe3b9dc5ca78b399ae151afc0f03972e710b23b

SHA256
2fbfd083e8286b5715afc2b0f0b84dc11d211e18a4bdd3f9b4af6d5a2e833ab4

SHA512
14100ee11d31da7dc051600c66e175569ad6026a550fa1167e5ecffee0f84bd6487b65eec45e32ac2e2b9b5bc338a952657187945bab7530896294d6e4cbc78f

Download Submit
\65971246227968\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
\Users\Admin\AppData\Local\Temp\24857.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
memory/332-4-0x0000000000000000-mapping.dmp

Download
memory/436-1-0x0000000000000000-mapping.dmp

Download
memory/872-8-0x0000000000000000-mapping.dmp

Download
memory/1752-0-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads