phorphiex | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

General

Target

10941585e933119c70b14961e91acc82.exe
Size

31KB
MD5

10941585e933119c70b14961e91acc82
SHA1

e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256

38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512

8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Score

10^/10

phorphiex evasion loader persistence spyware trojan worm

Malware Config

Signatures

Phorphiex Payload 4 IoCs

Processes:

resource	yara_rule
C:\1893860866577\svchost.exe	family_phorphiex
C:\1893860866577\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2023616281.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2023616281.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

svchost.exe2023616281.exe1095910114.exe

pid process

4024 svchost.exe
576 2023616281.exe
996 1095910114.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4024	svchost.exe
576	2023616281.exe
996	1095910114.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

10941585e933119c70b14961e91acc82.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1893860866577\\svchost.exe"	10941585e933119c70b14961e91acc82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1893860866577\\svchost.exe"	10941585e933119c70b14961e91acc82.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

10941585e933119c70b14961e91acc82.exesvchost.exe

description	pid	process	target process
PID 4684 wrote to memory of 4024	4684	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 4684 wrote to memory of 4024	4684	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 4684 wrote to memory of 4024	4684	10941585e933119c70b14961e91acc82.exe	svchost.exe
PID 4024 wrote to memory of 576	4024	svchost.exe	2023616281.exe
PID 4024 wrote to memory of 576	4024	svchost.exe	2023616281.exe
PID 4024 wrote to memory of 576	4024	svchost.exe	2023616281.exe
PID 4024 wrote to memory of 996	4024	svchost.exe	1095910114.exe
PID 4024 wrote to memory of 996	4024	svchost.exe	1095910114.exe
PID 4024 wrote to memory of 996	4024	svchost.exe	1095910114.exe

C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe
"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684

C:\1893860866577\svchost.exe
C:\1893860866577\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\2023616281.exe
C:\Users\Admin\AppData\Local\Temp\2023616281.exe
3⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\1095910114.exe
C:\Users\Admin\AppData\Local\Temp\1095910114.exe
3⤵
- Executes dropped EXE
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1893860866577\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\1893860866577\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\1095910114.exe
MD5
4a61038c4d176da1c3c522b57be2fe55

SHA1
3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90

SHA256
9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2

SHA512
76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\1095910114.exe
MD5
4a61038c4d176da1c3c522b57be2fe55

SHA1
3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90

SHA256
9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2

SHA512
76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\2023616281.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\2023616281.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
memory/576-3-0x0000000000000000-mapping.dmp

Download
memory/996-6-0x0000000000000000-mapping.dmp

Download
memory/4024-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads