phorphiex | 1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402

General

Target

a.scr
Size

15KB
MD5

ba74a7cb5a12d713229105df94a9e418
SHA1

c128af146a1f7ed27d702aa6ad7600d7ca3510cb
SHA256

1589137eea1bc46db43c9b9229402646773876d527585f68fd58d37add5d8402
SHA512

897c3906884ec1c836831308d023fc06e3b9aa92e8ef0fe8692d66f2965fce45d63eca2a936e5a6672a28fefa4b52ae0812eacfe3b27526509a19d105aba6eee

Score

10^/10

phorphiex evasion loader persistence ransomware trojan worm

Malware Config

Extracted

Path

C:\221622968119831\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?DUWYZBCE 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?DUWYZBCE

http://helpqvrg3cc5mvb3.onion/

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

21292.exewinsvcs.exe2465529280.exe

pid process

3628 21292.exe
576 winsvcs.exe
2072 2465529280.exe

pid	process
3628	21292.exe
576	winsvcs.exe
2072	2465529280.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21292.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\221622968119831\\winsvcs.exe"	21292.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\221622968119831\\winsvcs.exe"	21292.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2465529280.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	2465529280.exe
File opened for modification	C:\Program Files\desktop.ini	2465529280.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2465529280.exe

description	ioc	process
File opened (read-only)	\??\V:	2465529280.exe
File opened (read-only)	\??\B:	2465529280.exe
File opened (read-only)	\??\E:	2465529280.exe
File opened (read-only)	\??\R:	2465529280.exe
File opened (read-only)	\??\Y:	2465529280.exe
File opened (read-only)	\??\O:	2465529280.exe
File opened (read-only)	\??\G:	2465529280.exe
File opened (read-only)	\??\X:	2465529280.exe
File opened (read-only)	\??\W:	2465529280.exe
File opened (read-only)	\??\T:	2465529280.exe
File opened (read-only)	\??\P:	2465529280.exe
File opened (read-only)	\??\H:	2465529280.exe
File opened (read-only)	\??\L:	2465529280.exe
File opened (read-only)	\??\I:	2465529280.exe
File opened (read-only)	\??\A:	2465529280.exe
File opened (read-only)	\??\S:	2465529280.exe
File opened (read-only)	\??\N:	2465529280.exe
File opened (read-only)	\??\M:	2465529280.exe
File opened (read-only)	\??\Q:	2465529280.exe
File opened (read-only)	\??\U:	2465529280.exe
File opened (read-only)	\??\F:	2465529280.exe
File opened (read-only)	\??\J:	2465529280.exe
File opened (read-only)	\??\K:	2465529280.exe
File opened (read-only)	\??\Z:	2465529280.exe

Drops file in Program Files directory 876 IoCs

Processes:

2465529280.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.dll.sig	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\elevation_service.exe	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\bg.pak	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	2465529280.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	2465529280.exe
File created	C:\Program Files\Google\Chrome\Application\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg	2465529280.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	2465529280.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\DisableCompare.tmp	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	2465529280.exe
File opened for modification	C:\Program Files\EnterSubmit.scf	2465529280.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	2465529280.exe
File opened for modification	C:\Program Files\CheckpointResolve.php	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogo.png	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\LICENSE	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\Read_Me.txt	2465529280.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	2465529280.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\fr.pak	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	2465529280.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	2465529280.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	2465529280.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	2465529280.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\win_x64\Read_Me.txt	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	2465529280.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	2465529280.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\Read_Me.txt	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	2465529280.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	2465529280.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ml.pak	2465529280.exe

Suspicious behavior: EnumeratesProcesses 802 IoCs

Processes:

2465529280.exe

pid	process
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe
2072	2465529280.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a.scr21292.exewinsvcs.exe

description	pid	process	target process
PID 1112 wrote to memory of 3892	1112	a.scr	cmd.exe
PID 1112 wrote to memory of 3892	1112	a.scr	cmd.exe
PID 1112 wrote to memory of 3892	1112	a.scr	cmd.exe
PID 1112 wrote to memory of 3628	1112	a.scr	21292.exe
PID 1112 wrote to memory of 3628	1112	a.scr	21292.exe
PID 1112 wrote to memory of 3628	1112	a.scr	21292.exe
PID 3628 wrote to memory of 576	3628	21292.exe	winsvcs.exe
PID 3628 wrote to memory of 576	3628	21292.exe	winsvcs.exe
PID 3628 wrote to memory of 576	3628	21292.exe	winsvcs.exe
PID 576 wrote to memory of 2072	576	winsvcs.exe	2465529280.exe
PID 576 wrote to memory of 2072	576	winsvcs.exe	2465529280.exe
PID 576 wrote to memory of 2072	576	winsvcs.exe	2465529280.exe

C:\Users\Admin\AppData\Local\Temp\a.scr
"C:\Users\Admin\AppData\Local\Temp\a.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\33137.jpg
  2⤵
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\21292.exe
  C:\Users\Admin\AppData\Local\Temp\21292.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\221622968119831\winsvcs.exe
    C:\221622968119831\winsvcs.exe
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\2465529280.exe
      C:\Users\Admin\AppData\Local\Temp\2465529280.exe
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\221622968119831\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\221622968119831\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21292.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21292.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\2465529280.exe

MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\2465529280.exe

MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
memory/576-4-0x0000000000000000-mapping.dmp

Download
memory/2072-7-0x0000000000000000-mapping.dmp

Download
memory/2072-11-0x0000000004C00000-0x0000000004CC3000-memory.dmp

Filesize
780KB

Download
memory/2072-26-0x0000000004C00000-0x0000000004CC8000-memory.dmp

Filesize
800KB

Download
memory/3628-1-0x0000000000000000-mapping.dmp

Download
memory/3892-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads