phorphiex | a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

General

Target

5d91a29ea526e4630883fd17a5e43f9b.exe
Size

31KB
MD5

5d91a29ea526e4630883fd17a5e43f9b
SHA1

6615060efc5b5d439a6ac0246d9668c797e98692
SHA256

a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f
SHA512

329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 5 IoCs

Processes:

resource	yara_rule
\24903353523906\svchost.exe	family_phorphiex
C:\24903353523906\svchost.exe	family_phorphiex
C:\24903353523906\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\2717138293.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2717138293.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

svchost.exe2717138293.exe1801226722.exe

pid process

1848 svchost.exe
1516 2717138293.exe
2040 1801226722.exe
Loads dropped DLL 3 IoCs

Processes:

5d91a29ea526e4630883fd17a5e43f9b.exesvchost.exe

pid process

2028 5d91a29ea526e4630883fd17a5e43f9b.exe
1848 svchost.exe
1848 svchost.exe

pid	process
1848	svchost.exe
1516	2717138293.exe
2040	1801226722.exe

pid	process
2028	5d91a29ea526e4630883fd17a5e43f9b.exe
1848	svchost.exe
1848	svchost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5d91a29ea526e4630883fd17a5e43f9b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\24903353523906\\svchost.exe"	5d91a29ea526e4630883fd17a5e43f9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\24903353523906\\svchost.exe"	5d91a29ea526e4630883fd17a5e43f9b.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 icanhazip.com

flow	ioc
22	icanhazip.com

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5d91a29ea526e4630883fd17a5e43f9b.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1848	2028	5d91a29ea526e4630883fd17a5e43f9b.exe	svchost.exe
PID 2028 wrote to memory of 1848	2028	5d91a29ea526e4630883fd17a5e43f9b.exe	svchost.exe
PID 2028 wrote to memory of 1848	2028	5d91a29ea526e4630883fd17a5e43f9b.exe	svchost.exe
PID 2028 wrote to memory of 1848	2028	5d91a29ea526e4630883fd17a5e43f9b.exe	svchost.exe
PID 1848 wrote to memory of 1516	1848	svchost.exe	2717138293.exe
PID 1848 wrote to memory of 1516	1848	svchost.exe	2717138293.exe
PID 1848 wrote to memory of 1516	1848	svchost.exe	2717138293.exe
PID 1848 wrote to memory of 1516	1848	svchost.exe	2717138293.exe
PID 1848 wrote to memory of 2040	1848	svchost.exe	1801226722.exe
PID 1848 wrote to memory of 2040	1848	svchost.exe	1801226722.exe
PID 1848 wrote to memory of 2040	1848	svchost.exe	1801226722.exe
PID 1848 wrote to memory of 2040	1848	svchost.exe	1801226722.exe

C:\Users\Admin\AppData\Local\Temp\5d91a29ea526e4630883fd17a5e43f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5d91a29ea526e4630883fd17a5e43f9b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\24903353523906\svchost.exe
C:\24903353523906\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\2717138293.exe
C:\Users\Admin\AppData\Local\Temp\2717138293.exe
3⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\1801226722.exe
C:\Users\Admin\AppData\Local\Temp\1801226722.exe
3⤵
- Executes dropped EXE
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\24903353523906\svchost.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\24903353523906\svchost.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1801226722.exe
MD5
7f371679986c29befdf61c85c1262008

SHA1
f1b6a970675cd61dccee2f460685ea0922b55a3c

SHA256
2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581

SHA512
f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2717138293.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
\24903353523906\svchost.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
\Users\Admin\AppData\Local\Temp\1801226722.exe
MD5
7f371679986c29befdf61c85c1262008

SHA1
f1b6a970675cd61dccee2f460685ea0922b55a3c

SHA256
2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581

SHA512
f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

Download Submit
\Users\Admin\AppData\Local\Temp\2717138293.exe
MD5
5d91a29ea526e4630883fd17a5e43f9b

SHA1
6615060efc5b5d439a6ac0246d9668c797e98692

SHA256
a86bc10b92d0cdefbbcb2e58ea78b165ff8983599356ceb81311f92c759bf36f

SHA512
329bd44f37812a54b468fdb06665aa93bf434aa4f5f1c6dbb68c1f86a5e3bd900929387407edbd6ed6ba6c148fff0136113be4fa11fb08431dedd6be817ac7c1

Download Submit
memory/1516-6-0x0000000000000000-mapping.dmp

Download
memory/1848-2-0x0000000000000000-mapping.dmp

Download
memory/2004-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/2040-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads