phorphiex | e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
07-11-2020 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371f00c6fdf9ee7012b15d210449b386.exe
Size

112KB
MD5

371f00c6fdf9ee7012b15d210449b386
SHA1

a71705075250ad01e1bf17db23a9dc560803adc1
SHA256

e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579
SHA512

d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 8 IoCs

Processes:

resource	yara_rule
C:\197202836311259\svchost.exe	family_phorphiex
C:\197202836311259\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2474511548.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2474511548.exe	family_phorphiex
C:\19643110410638\svchost.exe	family_phorphiex
C:\19643110410638\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2090021259.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2090021259.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 8 IoCs

Processes:

svchost.exe2474511548.exe2865637617.exesvchost.exe1789635235.exe2090021259.exe3078435145.exe1069639195.exe

pid process

196 svchost.exe
3456 2474511548.exe
2420 2865637617.exe
3644 svchost.exe
2056 1789635235.exe
2248 2090021259.exe
3556 3078435145.exe
3940 1069639195.exe

pid	process
196	svchost.exe
3456	2474511548.exe
2420	2865637617.exe
3644	svchost.exe
2056	1789635235.exe
2248	2090021259.exe
3556	3078435145.exe
3940	1069639195.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

371f00c6fdf9ee7012b15d210449b386.exe2474511548.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\197202836311259\\svchost.exe"	371f00c6fdf9ee7012b15d210449b386.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\197202836311259\\svchost.exe"	371f00c6fdf9ee7012b15d210449b386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\19643110410638\\svchost.exe"	2474511548.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\19643110410638\\svchost.exe"	2474511548.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

371f00c6fdf9ee7012b15d210449b386.exesvchost.exe2474511548.exesvchost.exe

description	pid	process	target process
PID 636 wrote to memory of 196	636	371f00c6fdf9ee7012b15d210449b386.exe	svchost.exe
PID 636 wrote to memory of 196	636	371f00c6fdf9ee7012b15d210449b386.exe	svchost.exe
PID 636 wrote to memory of 196	636	371f00c6fdf9ee7012b15d210449b386.exe	svchost.exe
PID 196 wrote to memory of 3456	196	svchost.exe	2474511548.exe
PID 196 wrote to memory of 3456	196	svchost.exe	2474511548.exe
PID 196 wrote to memory of 3456	196	svchost.exe	2474511548.exe
PID 196 wrote to memory of 2420	196	svchost.exe	2865637617.exe
PID 196 wrote to memory of 2420	196	svchost.exe	2865637617.exe
PID 196 wrote to memory of 2420	196	svchost.exe	2865637617.exe
PID 3456 wrote to memory of 3644	3456	2474511548.exe	svchost.exe
PID 3456 wrote to memory of 3644	3456	2474511548.exe	svchost.exe
PID 3456 wrote to memory of 3644	3456	2474511548.exe	svchost.exe
PID 196 wrote to memory of 2056	196	svchost.exe	1789635235.exe
PID 196 wrote to memory of 2056	196	svchost.exe	1789635235.exe
PID 196 wrote to memory of 2056	196	svchost.exe	1789635235.exe
PID 3644 wrote to memory of 2248	3644	svchost.exe	2090021259.exe
PID 3644 wrote to memory of 2248	3644	svchost.exe	2090021259.exe
PID 3644 wrote to memory of 2248	3644	svchost.exe	2090021259.exe
PID 3644 wrote to memory of 3556	3644	svchost.exe	3078435145.exe
PID 3644 wrote to memory of 3556	3644	svchost.exe	3078435145.exe
PID 3644 wrote to memory of 3556	3644	svchost.exe	3078435145.exe
PID 3644 wrote to memory of 3940	3644	svchost.exe	1069639195.exe
PID 3644 wrote to memory of 3940	3644	svchost.exe	1069639195.exe
PID 3644 wrote to memory of 3940	3644	svchost.exe	1069639195.exe

C:\Users\Admin\AppData\Local\Temp\371f00c6fdf9ee7012b15d210449b386.exe
"C:\Users\Admin\AppData\Local\Temp\371f00c6fdf9ee7012b15d210449b386.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\197202836311259\svchost.exe
C:\197202836311259\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:196

C:\Users\Admin\AppData\Local\Temp\2474511548.exe
C:\Users\Admin\AppData\Local\Temp\2474511548.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456

C:\19643110410638\svchost.exe
C:\19643110410638\svchost.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\2090021259.exe
C:\Users\Admin\AppData\Local\Temp\2090021259.exe
5⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\3078435145.exe
C:\Users\Admin\AppData\Local\Temp\3078435145.exe
5⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\1069639195.exe
C:\Users\Admin\AppData\Local\Temp\1069639195.exe
5⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\AppData\Local\Temp\2865637617.exe
C:\Users\Admin\AppData\Local\Temp\2865637617.exe
3⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\1789635235.exe
C:\Users\Admin\AppData\Local\Temp\1789635235.exe
3⤵
- Executes dropped EXE
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\19643110410638\svchost.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\19643110410638\svchost.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\197202836311259\svchost.exe
MD5
371f00c6fdf9ee7012b15d210449b386

SHA1
a71705075250ad01e1bf17db23a9dc560803adc1

SHA256
e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579

SHA512
d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df

Download Submit
C:\197202836311259\svchost.exe
MD5
371f00c6fdf9ee7012b15d210449b386

SHA1
a71705075250ad01e1bf17db23a9dc560803adc1

SHA256
e053c19ffe23b6e0b58165395bfd1ed11b9df981e99ac8f6f5cfe9fcbddd2579

SHA512
d5dfb821bcb796c1bbb84baf057660a3364d82dfa0bb432fd941f2ba6f22035a255a966383e6ab497370b9574faa21690fc6a875e416f9d4dcbe40d1ebbd86df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\3[1]
MD5
20bbe0afb4f7377cd875c4c57e9e5195

SHA1
4b417faf232cd2e73f29f02fe0e4ed3d3824ec3f

SHA256
7f950509b4c4417b9d8a02fc99d9de5262600536da05edacf9daf3fc78fc2805

SHA512
490224e54ec94a13d3bb5762daa35e21f82d9ea76af823fb883597e4601923da5e9095abf207f67c4782fa6f1ba424e3f6f70e36ffe893611782d958995df32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\1[1]
MD5
70092a848d7c9a57e4d9549856e6542e

SHA1
941cddd9081003c3688f84d8de3d0e9bb3c511e9

SHA256
938f1b1f1067f54a744c9fafc3c1d0dc619ae0ea78689bcd68c1fb96012be3db

SHA512
1f01b1605a774871d03d8fc1586eac918f50388519bae24bda25dc7867da1428d54585f3a1e6c963dceccae4308190d0400354519d568176a297aa6ed4e44d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\2[1]
MD5
2a844974f61e572cc93cebf83bb5a909

SHA1
6a1bf621865fbb3dd066ba96a3173c7c95e0e6d3

SHA256
4858a706a55afeec714ed243c32ba4ac78ecf85fbc064b28222b055b0f1417ec

SHA512
d2b98148d54e4980ced9e3cd09fa6ae09fb86dfb1d106222feddb580d415f7aeefd882e074837c0352b063e077d33068335fcb85ed80a8e7fff5e57da03383db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069639195.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069639195.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1789635235.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1789635235.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2090021259.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\Users\Admin\AppData\Local\Temp\2090021259.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\Users\Admin\AppData\Local\Temp\2474511548.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\Users\Admin\AppData\Local\Temp\2474511548.exe
MD5
bf7d90121ee4f2922825193f362e27bf

SHA1
4939fbdc006f05b783c1d6d24947a2970cfcd70f

SHA256
11c12494f3ccf9224ccfc77b6b08e5a27a21a1eeeab951c3fa8559048b299964

SHA512
721ca4713e447f3d2cd9e22ec12bb18a9bdd455a0bb5ed576409aece18dd2742165e36bd176a67b1e8537e855f306adece3361baf3ec0139a4e93c62590df039

Download Submit
C:\Users\Admin\AppData\Local\Temp\2865637617.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2865637617.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3078435145.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3078435145.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
memory/196-0-0x0000000000000000-mapping.dmp

Download
memory/2056-12-0x0000000000000000-mapping.dmp

Download
memory/2248-16-0x0000000000000000-mapping.dmp

Download
memory/2420-6-0x0000000000000000-mapping.dmp

Download
memory/3456-3-0x0000000000000000-mapping.dmp

Download
memory/3556-20-0x0000000000000000-mapping.dmp

Download
memory/3644-9-0x0000000000000000-mapping.dmp

Download
memory/3940-24-0x0000000000000000-mapping.dmp

Download