phorphiex | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

Analysis

max time kernel
155s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Size

888KB
MD5

b18e53bb27f7c270cadfa062c8c9330a
SHA1

a472e5ba842817df057cad53a1934d5b91617032
SHA256

1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512

10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3721512616.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3721512616.exe	family_phorphiex
C:\92781776224280\svchost.exe	family_phorphiex
C:\92781776224280\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1572736130.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1572736130.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 8 IoCs

Processes:

svchost.exe3721512616.exe3872222412.exe2366731905.exesvchost.exe1572736130.exe1429524268.exe3319414717.exe

pid process

2440 svchost.exe
184 3721512616.exe
3608 3872222412.exe
3660 2366731905.exe
3348 svchost.exe
2268 1572736130.exe
3496 1429524268.exe
648 3319414717.exe

pid	process
2440	svchost.exe
184	3721512616.exe
3608	3872222412.exe
3660	2366731905.exe
3348	svchost.exe
2268	1572736130.exe
3496	1429524268.exe
648	3319414717.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3721512616.exeSecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe"	3721512616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe"	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe"	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe"	3721512616.exe

Drops file in Windows directory 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

description	ioc	process
File opened for modification	C:\Windows\5066213467465	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
File created	C:\Windows\5066213467465\svchost.exe	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
File opened for modification	C:\Windows\5066213467465\svchost.exe	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exesvchost.exe3721512616.exesvchost.exe

description	pid	process	target process
PID 636 wrote to memory of 2440	636	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 636 wrote to memory of 2440	636	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 636 wrote to memory of 2440	636	SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe	svchost.exe
PID 2440 wrote to memory of 184	2440	svchost.exe	3721512616.exe
PID 2440 wrote to memory of 184	2440	svchost.exe	3721512616.exe
PID 2440 wrote to memory of 184	2440	svchost.exe	3721512616.exe
PID 2440 wrote to memory of 3608	2440	svchost.exe	3872222412.exe
PID 2440 wrote to memory of 3608	2440	svchost.exe	3872222412.exe
PID 2440 wrote to memory of 3608	2440	svchost.exe	3872222412.exe
PID 2440 wrote to memory of 3660	2440	svchost.exe	2366731905.exe
PID 2440 wrote to memory of 3660	2440	svchost.exe	2366731905.exe
PID 2440 wrote to memory of 3660	2440	svchost.exe	2366731905.exe
PID 184 wrote to memory of 3348	184	3721512616.exe	svchost.exe
PID 184 wrote to memory of 3348	184	3721512616.exe	svchost.exe
PID 184 wrote to memory of 3348	184	3721512616.exe	svchost.exe
PID 3348 wrote to memory of 2268	3348	svchost.exe	1572736130.exe
PID 3348 wrote to memory of 2268	3348	svchost.exe	1572736130.exe
PID 3348 wrote to memory of 2268	3348	svchost.exe	1572736130.exe
PID 3348 wrote to memory of 3496	3348	svchost.exe	1429524268.exe
PID 3348 wrote to memory of 3496	3348	svchost.exe	1429524268.exe
PID 3348 wrote to memory of 3496	3348	svchost.exe	1429524268.exe
PID 3348 wrote to memory of 648	3348	svchost.exe	3319414717.exe
PID 3348 wrote to memory of 648	3348	svchost.exe	3319414717.exe
PID 3348 wrote to memory of 648	3348	svchost.exe	3319414717.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\5066213467465\svchost.exe
C:\Windows\5066213467465\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\3721512616.exe
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:184

C:\92781776224280\svchost.exe
C:\92781776224280\svchost.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\1572736130.exe
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
5⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Temp\1429524268.exe
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
5⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\Temp\3319414717.exe
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
5⤵
- Executes dropped EXE
PID:648

C:\Users\Admin\AppData\Local\Temp\3872222412.exe
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
3⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\2366731905.exe
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
3⤵
- Executes dropped EXE
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\92781776224280\svchost.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\92781776224280\svchost.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
MD5
3f1db3dc8315d4b551241a5d1060119d

SHA1
de30f3fb88794d03c5f612e2f051aabd670dff88

SHA256
74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff

SHA512
782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
MD5
2968307563096dfe9c628171a724744f

SHA1
fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe

SHA256
003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5

SHA512
def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
MD5
15d07920fe0d8d6012912504f4437628

SHA1
30f5e45c53d25f1a3fd882a4f6c5766fe574c090

SHA256
b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740

SHA512
a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

Download Submit
C:\Windows\5066213467465\svchost.exe
MD5
b18e53bb27f7c270cadfa062c8c9330a

SHA1
a472e5ba842817df057cad53a1934d5b91617032

SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

SHA512
10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Download Submit
C:\Windows\5066213467465\svchost.exe
MD5
b18e53bb27f7c270cadfa062c8c9330a

SHA1
a472e5ba842817df057cad53a1934d5b91617032

SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

SHA512
10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

Download Submit
memory/184-3-0x0000000000000000-mapping.dmp

Download
memory/648-21-0x0000000000000000-mapping.dmp

Download
memory/2268-15-0x0000000000000000-mapping.dmp

Download
memory/2440-0-0x0000000000000000-mapping.dmp

Download
memory/3348-12-0x0000000000000000-mapping.dmp

Download
memory/3496-18-0x0000000000000000-mapping.dmp

Download
memory/3608-6-0x0000000000000000-mapping.dmp

Download
memory/3660-9-0x0000000000000000-mapping.dmp

Download