phorphiex | 77e500161161d047b1fc9dcba58f3422ad838b99b5c318972d33390be6d1d69c

General

Target

a1e6dc9922fbe045c11f087b67d4ea05.exe
Size

1.0MB
MD5

6d99bee371359b0d520b4aa4e4a7ff03
SHA1

3ed8c8dbe6f962371aa27fa2faee30018789ae76
SHA256

77e500161161d047b1fc9dcba58f3422ad838b99b5c318972d33390be6d1d69c
SHA512

1ccebe7f12e81092e20a504d59dc86bc824e1b749637b6f1319a2769ac6e65b9cd1c45addd0097ea7593448c7a1020d9a96455d09e09aa5987667ef28944e4c1

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3137.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3137.exe	family_phorphiex
C:\246802638711127\svchost.exe	family_phorphiex
C:\246802638711127\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3558124404.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3558124404.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

3137.exesvchost.exe3558124404.exe2786914762.exe

pid process

4052 3137.exe
3556 svchost.exe
2892 3558124404.exe
3492 2786914762.exe

pid	process
4052	3137.exe
3556	svchost.exe
2892	3558124404.exe
3492	2786914762.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3137.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\246802638711127\\svchost.exe"	3137.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\246802638711127\\svchost.exe"	3137.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 icanhazip.com
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a1e6dc9922fbe045c11f087b67d4ea05.exe

pid process

3408 a1e6dc9922fbe045c11f087b67d4ea05.exe
3408 a1e6dc9922fbe045c11f087b67d4ea05.exe

flow	ioc
39	icanhazip.com

pid	process
3408	a1e6dc9922fbe045c11f087b67d4ea05.exe
3408	a1e6dc9922fbe045c11f087b67d4ea05.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a1e6dc9922fbe045c11f087b67d4ea05.exe3137.exesvchost.exe

description	pid	process	target process
PID 3408 wrote to memory of 4052	3408	a1e6dc9922fbe045c11f087b67d4ea05.exe	3137.exe
PID 3408 wrote to memory of 4052	3408	a1e6dc9922fbe045c11f087b67d4ea05.exe	3137.exe
PID 3408 wrote to memory of 4052	3408	a1e6dc9922fbe045c11f087b67d4ea05.exe	3137.exe
PID 4052 wrote to memory of 3556	4052	3137.exe	svchost.exe
PID 4052 wrote to memory of 3556	4052	3137.exe	svchost.exe
PID 4052 wrote to memory of 3556	4052	3137.exe	svchost.exe
PID 3556 wrote to memory of 2892	3556	svchost.exe	3558124404.exe
PID 3556 wrote to memory of 2892	3556	svchost.exe	3558124404.exe
PID 3556 wrote to memory of 2892	3556	svchost.exe	3558124404.exe
PID 3556 wrote to memory of 3492	3556	svchost.exe	2786914762.exe
PID 3556 wrote to memory of 3492	3556	svchost.exe	2786914762.exe
PID 3556 wrote to memory of 3492	3556	svchost.exe	2786914762.exe

C:\Users\Admin\AppData\Local\Temp\a1e6dc9922fbe045c11f087b67d4ea05.exe
"C:\Users\Admin\AppData\Local\Temp\a1e6dc9922fbe045c11f087b67d4ea05.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\3137.exe
"C:\Users\Admin\AppData\Local\Temp\3137.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052

C:\246802638711127\svchost.exe
C:\246802638711127\svchost.exe
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\3558124404.exe
C:\Users\Admin\AppData\Local\Temp\3558124404.exe
4⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\2786914762.exe
C:\Users\Admin\AppData\Local\Temp\2786914762.exe
4⤵
- Executes dropped EXE
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\246802638711127\svchost.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\246802638711127\svchost.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2786914762.exe
MD5
2570503fbcafeb4a7f604b07dba14243

SHA1
d18687aca98f337096b45682fcc106226e3ec63b

SHA256
18c190d097c5d1c77e7f309f0339b95d67620cb4711237b40bdfeb71b082a64f

SHA512
b142ce01545a715efe3aab52609fe806c318fbc138ac4dc4a29304212da0e1a2d31f5a9b50c670db9712983ce31e3788475bd4ac959c0f05a32a2391efa6b1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2786914762.exe
MD5
2570503fbcafeb4a7f604b07dba14243

SHA1
d18687aca98f337096b45682fcc106226e3ec63b

SHA256
18c190d097c5d1c77e7f309f0339b95d67620cb4711237b40bdfeb71b082a64f

SHA512
b142ce01545a715efe3aab52609fe806c318fbc138ac4dc4a29304212da0e1a2d31f5a9b50c670db9712983ce31e3788475bd4ac959c0f05a32a2391efa6b1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3137.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3137.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3558124404.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3558124404.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
memory/2892-6-0x0000000000000000-mapping.dmp

Download
memory/3492-9-0x0000000000000000-mapping.dmp

Download
memory/3556-3-0x0000000000000000-mapping.dmp

Download
memory/4052-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads