phorphiex | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Size

888KB
MD5

b18e53bb27f7c270cadfa062c8c9330a
SHA1

a472e5ba842817df057cad53a1934d5b91617032
SHA256

1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512

10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Phorphiex Payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1847737620.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1847737620.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1847737620.exe	family_phorphiex
\1754266524840\svchost.exe	family_phorphiex
C:\1754266524840\svchost.exe	family_phorphiex
C:\1754266524840\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1953333470.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1953333470.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 8 IoCs

Processes:

svchost.exe1847737620.exe2609225382.exe3144736335.exesvchost.exe1953333470.exe3830329087.exe1832824553.exe

pid process

1284 svchost.exe
916 1847737620.exe
664 2609225382.exe
1852 3144736335.exe
1616 svchost.exe
912 1953333470.exe
112 3830329087.exe
1180 1832824553.exe

pid	process
1284	svchost.exe
916	1847737620.exe
664	2609225382.exe
1852	3144736335.exe
1616	svchost.exe
912	1953333470.exe
112	3830329087.exe
1180	1832824553.exe

Loads dropped DLL 8 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exesvchost.exe1847737620.exesvchost.exe

pid	process
484	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
1284	svchost.exe
1284	svchost.exe
1284	svchost.exe
916	1847737620.exe
1616	svchost.exe
1616	svchost.exe
1616	svchost.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe1847737620.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe"	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe"	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe"	1847737620.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe"	1847737620.exe

Drops file in Windows directory 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

description	ioc	process
File created	C:\Windows\262282303825536\svchost.exe	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
File opened for modification	C:\Windows\262282303825536\svchost.exe	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
File opened for modification	C:\Windows\262282303825536	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exesvchost.exe1847737620.exesvchost.exe

description	pid	process	target process
PID 484 wrote to memory of 1284	484	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 484 wrote to memory of 1284	484	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 484 wrote to memory of 1284	484	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 484 wrote to memory of 1284	484	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 1284 wrote to memory of 916	1284	svchost.exe	1847737620.exe
PID 1284 wrote to memory of 916	1284	svchost.exe	1847737620.exe
PID 1284 wrote to memory of 916	1284	svchost.exe	1847737620.exe
PID 1284 wrote to memory of 916	1284	svchost.exe	1847737620.exe
PID 1284 wrote to memory of 664	1284	svchost.exe	2609225382.exe
PID 1284 wrote to memory of 664	1284	svchost.exe	2609225382.exe
PID 1284 wrote to memory of 664	1284	svchost.exe	2609225382.exe
PID 1284 wrote to memory of 664	1284	svchost.exe	2609225382.exe
PID 1284 wrote to memory of 1852	1284	svchost.exe	3144736335.exe
PID 1284 wrote to memory of 1852	1284	svchost.exe	3144736335.exe
PID 1284 wrote to memory of 1852	1284	svchost.exe	3144736335.exe
PID 1284 wrote to memory of 1852	1284	svchost.exe	3144736335.exe
PID 916 wrote to memory of 1616	916	1847737620.exe	svchost.exe
PID 916 wrote to memory of 1616	916	1847737620.exe	svchost.exe
PID 916 wrote to memory of 1616	916	1847737620.exe	svchost.exe
PID 916 wrote to memory of 1616	916	1847737620.exe	svchost.exe
PID 1616 wrote to memory of 912	1616	svchost.exe	1953333470.exe
PID 1616 wrote to memory of 912	1616	svchost.exe	1953333470.exe
PID 1616 wrote to memory of 912	1616	svchost.exe	1953333470.exe
PID 1616 wrote to memory of 912	1616	svchost.exe	1953333470.exe
PID 1616 wrote to memory of 112	1616	svchost.exe	3830329087.exe
PID 1616 wrote to memory of 112	1616	svchost.exe	3830329087.exe
PID 1616 wrote to memory of 112	1616	svchost.exe	3830329087.exe
PID 1616 wrote to memory of 112	1616	svchost.exe	3830329087.exe
PID 1616 wrote to memory of 1180	1616	svchost.exe	1832824553.exe
PID 1616 wrote to memory of 1180	1616	svchost.exe	1832824553.exe
PID 1616 wrote to memory of 1180	1616	svchost.exe	1832824553.exe
PID 1616 wrote to memory of 1180	1616	svchost.exe	1832824553.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\262282303825536\svchost.exe
C:\Windows\262282303825536\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\1847737620.exe
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916

C:\1754266524840\svchost.exe
C:\1754266524840\svchost.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\1953333470.exe
C:\Users\Admin\AppData\Local\Temp\1953333470.exe
5⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\3830329087.exe
C:\Users\Admin\AppData\Local\Temp\3830329087.exe
5⤵
- Executes dropped EXE
PID:112

C:\Users\Admin\AppData\Local\Temp\1832824553.exe
C:\Users\Admin\AppData\Local\Temp\1832824553.exe
5⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\AppData\Local\Temp\2609225382.exe
C:\Users\Admin\AppData\Local\Temp\2609225382.exe
3⤵
- Executes dropped EXE
PID:664

C:\Users\Admin\AppData\Local\Temp\3144736335.exe
C:\Users\Admin\AppData\Local\Temp\3144736335.exe
3⤵
- Executes dropped EXE
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1754266524840\svchost.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\1754266524840\svchost.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1832824553.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1953333470.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2609225382.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3144736335.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3830329087.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Windows\262282303825536\svchost.exe
MD5
b18e53bb27f7c270cadfa062c8c9330a

SHA1
a472e5ba842817df057cad53a1934d5b91617032

SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

SHA512
10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Download Submit
C:\Windows\262282303825536\svchost.exe
MD5
b18e53bb27f7c270cadfa062c8c9330a

SHA1
a472e5ba842817df057cad53a1934d5b91617032

SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

SHA512
10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Download Submit
\1754266524840\svchost.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
\Users\Admin\AppData\Local\Temp\1832824553.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
\Users\Admin\AppData\Local\Temp\1847737620.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
\Users\Admin\AppData\Local\Temp\1953333470.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
\Users\Admin\AppData\Local\Temp\2609225382.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
\Users\Admin\AppData\Local\Temp\3144736335.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
\Users\Admin\AppData\Local\Temp\3830329087.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
\Windows\262282303825536\svchost.exe
MD5
b18e53bb27f7c270cadfa062c8c9330a

SHA1
a472e5ba842817df057cad53a1934d5b91617032

SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

SHA512
10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Download Submit
memory/112-23-0x0000000000000000-mapping.dmp

Download
memory/664-9-0x0000000000000000-mapping.dmp

Download
memory/912-20-0x0000000000000000-mapping.dmp

Download
memory/916-6-0x0000000000000000-mapping.dmp

Download
memory/1180-26-0x0000000000000000-mapping.dmp

Download
memory/1244-4-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1284-1-0x0000000000000000-mapping.dmp

Download
memory/1616-16-0x0000000000000000-mapping.dmp

Download
memory/1852-12-0x0000000000000000-mapping.dmp

Download