phorphiex | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
19-11-2020 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10941585e933119c70b14961e91acc82.exe
Size

31KB
MD5

10941585e933119c70b14961e91acc82
SHA1

e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256

38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512

8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Score

10^/10

phorphiex evasion loader persistence spyware trojan worm

Malware Config

Signatures

Phorphiex Payload 5 IoCs

Processes:

resource	yara_rule
\1326261419625\svchost.exe	family_phorphiex
C:\1326261419625\svchost.exe	family_phorphiex
C:\1326261419625\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1540428975.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1540428975.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

svchost.exe1540428975.exe1252817773.exe2908718115.exe3640435775.exe

pid process

1136 svchost.exe
852 1540428975.exe
1312 1252817773.exe
1384 2908718115.exe
240 3640435775.exe
Loads dropped DLL 5 IoCs

Processes:

10941585e933119c70b14961e91acc82.exesvchost.exe

pid process

2028 10941585e933119c70b14961e91acc82.exe
1136 svchost.exe
1136 svchost.exe
1136 svchost.exe
1136 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1136	svchost.exe
852	1540428975.exe
1312	1252817773.exe
1384	2908718115.exe
240	3640435775.exe

pid	process
2028	10941585e933119c70b14961e91acc82.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

10941585e933119c70b14961e91acc82.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe"	10941585e933119c70b14961e91acc82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe"	10941585e933119c70b14961e91acc82.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 icanhazip.com

flow	ioc
23	icanhazip.com

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

10941585e933119c70b14961e91acc82.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1136	2028	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 2028 wrote to memory of 1136	2028	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 2028 wrote to memory of 1136	2028	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 2028 wrote to memory of 1136	2028	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 1136 wrote to memory of 852	1136	svchost.exe	1540428975.exe
PID 1136 wrote to memory of 852	1136	svchost.exe	1540428975.exe
PID 1136 wrote to memory of 852	1136	svchost.exe	1540428975.exe
PID 1136 wrote to memory of 852	1136	svchost.exe	1540428975.exe
PID 1136 wrote to memory of 1312	1136	svchost.exe	1252817773.exe
PID 1136 wrote to memory of 1312	1136	svchost.exe	1252817773.exe
PID 1136 wrote to memory of 1312	1136	svchost.exe	1252817773.exe
PID 1136 wrote to memory of 1312	1136	svchost.exe	1252817773.exe
PID 1136 wrote to memory of 1384	1136	svchost.exe	2908718115.exe
PID 1136 wrote to memory of 1384	1136	svchost.exe	2908718115.exe
PID 1136 wrote to memory of 1384	1136	svchost.exe	2908718115.exe
PID 1136 wrote to memory of 1384	1136	svchost.exe	2908718115.exe
PID 1136 wrote to memory of 240	1136	svchost.exe	3640435775.exe
PID 1136 wrote to memory of 240	1136	svchost.exe	3640435775.exe
PID 1136 wrote to memory of 240	1136	svchost.exe	3640435775.exe
PID 1136 wrote to memory of 240	1136	svchost.exe	3640435775.exe

C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe
"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\1326261419625\svchost.exe
C:\1326261419625\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\1540428975.exe
C:\Users\Admin\AppData\Local\Temp\1540428975.exe
3⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\AppData\Local\Temp\1252817773.exe
C:\Users\Admin\AppData\Local\Temp\1252817773.exe
3⤵
- Executes dropped EXE
PID:1312

C:\Users\Admin\AppData\Local\Temp\2908718115.exe
C:\Users\Admin\AppData\Local\Temp\2908718115.exe
3⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\3640435775.exe
C:\Users\Admin\AppData\Local\Temp\3640435775.exe
3⤵
- Executes dropped EXE
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1326261419625\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\1326261419625\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\1252817773.exe
MD5
4a61038c4d176da1c3c522b57be2fe55

SHA1
3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90

SHA256
9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2

SHA512
76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1540428975.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\2908718115.exe
MD5
7f371679986c29befdf61c85c1262008

SHA1
f1b6a970675cd61dccee2f460685ea0922b55a3c

SHA256
2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581

SHA512
f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3640435775.exe
MD5
f6e97a60aeb12d0cda2e80d9a2f81186

SHA1
9231abff318430e87b375ad12d2b4056ee8dfe50

SHA256
b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec

SHA512
ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1

Download Submit
\1326261419625\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\Users\Admin\AppData\Local\Temp\1252817773.exe
MD5
4a61038c4d176da1c3c522b57be2fe55

SHA1
3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90

SHA256
9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2

SHA512
76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

Download Submit
\Users\Admin\AppData\Local\Temp\1540428975.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\Users\Admin\AppData\Local\Temp\2908718115.exe
MD5
7f371679986c29befdf61c85c1262008

SHA1
f1b6a970675cd61dccee2f460685ea0922b55a3c

SHA256
2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581

SHA512
f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

Download Submit
\Users\Admin\AppData\Local\Temp\3640435775.exe
MD5
f6e97a60aeb12d0cda2e80d9a2f81186

SHA1
9231abff318430e87b375ad12d2b4056ee8dfe50

SHA256
b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec

SHA512
ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1

Download Submit
memory/240-15-0x0000000000000000-mapping.dmp

Download
memory/852-6-0x0000000000000000-mapping.dmp

Download
memory/1096-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1136-2-0x0000000000000000-mapping.dmp

Download
memory/1312-9-0x0000000000000000-mapping.dmp

Download
memory/1384-12-0x0000000000000000-mapping.dmp

Download