phorphiex | cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8

General

Target

SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe
Size

66KB
MD5

0330ca15737b3fb862072cfa22bafe01
SHA1

633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256

cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512

63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

winsvcs.exe

pid process

1224 winsvcs.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

pid process

308 SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

pid	process
1224	winsvcs.exe

pid	process
308	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe"	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe"	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

description	pid	process	target process
PID 308 wrote to memory of 1224	308	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe	winsvcs.exe
PID 308 wrote to memory of 1224	308	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe	winsvcs.exe
PID 308 wrote to memory of 1224	308	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe	winsvcs.exe
PID 308 wrote to memory of 1224	308	SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe	winsvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:308

C:\263841395013389\winsvcs.exe
C:\263841395013389\winsvcs.exe
2⤵
- Executes dropped EXE
- Windows security modification
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\263841395013389\winsvcs.exe
MD5
0330ca15737b3fb862072cfa22bafe01

SHA1
633026b9467600e9617e76e3e8dfaebe5ac9f91f

SHA256
cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8

SHA512
63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

Download Submit
C:\263841395013389\winsvcs.exe
MD5
0330ca15737b3fb862072cfa22bafe01

SHA1
633026b9467600e9617e76e3e8dfaebe5ac9f91f

SHA256
cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8

SHA512
63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

Download Submit
\263841395013389\winsvcs.exe
MD5
0330ca15737b3fb862072cfa22bafe01

SHA1
633026b9467600e9617e76e3e8dfaebe5ac9f91f

SHA256
cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8

SHA512
63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

Download Submit
memory/1200-4-0x000007FEF5D00000-0x000007FEF5F7A000-memory.dmp

Filesize
2.5MB

Download
memory/1224-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads