phorphiex | 01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
28-11-2020 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdc0968a6b40243c3b54fe554fa7567b.exe
Size

67KB
MD5

bdc0968a6b40243c3b54fe554fa7567b
SHA1

49d48d747cfbe8310161600d2ae8c7a01f7c74cd
SHA256

01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783
SHA512

5d715b1334d816a06ab694aa7810e3b1fe56d729a387b2a95dfef6d17cdbf11a1e674d98784681e0d3b4fe752721b02c0d9826f74881027fcfd923cf0574871c

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\F2D.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\F2D.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\F2D.exe	family_phorphiex
\93902715619932\svchost.exe	family_phorphiex
C:\93902715619932\svchost.exe	family_phorphiex
C:\93902715619932\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3929931926.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3929931926.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3929931926.exe	family_phorphiex
\2054723263257\svchost.exe	family_phorphiex
C:\2054723263257\svchost.exe	family_phorphiex
C:\2054723263257\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3284912040.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3284912040.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 7 IoCs

Processes:

F2D.exesvchost.exe3929931926.exe1832623972.exesvchost.exe3284912040.exe1983638296.exe

pid process

764 F2D.exe
1332 svchost.exe
1904 3929931926.exe
848 1832623972.exe
884 svchost.exe
1640 3284912040.exe
752 1983638296.exe
Loads dropped DLL 7 IoCs

Processes:

bdc0968a6b40243c3b54fe554fa7567b.exeF2D.exesvchost.exe3929931926.exesvchost.exe

pid process

784 bdc0968a6b40243c3b54fe554fa7567b.exe
764 F2D.exe
1332 svchost.exe
1332 svchost.exe
1904 3929931926.exe
884 svchost.exe
884 svchost.exe

pid	process
764	F2D.exe
1332	svchost.exe
1904	3929931926.exe
848	1832623972.exe
884	svchost.exe
1640	3284912040.exe
752	1983638296.exe

pid	process
784	bdc0968a6b40243c3b54fe554fa7567b.exe
764	F2D.exe
1332	svchost.exe
1332	svchost.exe
1904	3929931926.exe
884	svchost.exe
884	svchost.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

F2D.exe3929931926.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\93902715619932\\svchost.exe"	F2D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\93902715619932\\svchost.exe"	F2D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2054723263257\\svchost.exe"	3929931926.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2054723263257\\svchost.exe"	3929931926.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bdc0968a6b40243c3b54fe554fa7567b.exeF2D.exesvchost.exe3929931926.exesvchost.exe

description	pid	process	target process
PID 784 wrote to memory of 764	784	bdc0968a6b40243c3b54fe554fa7567b.exe	F2D.exe
PID 784 wrote to memory of 764	784	bdc0968a6b40243c3b54fe554fa7567b.exe	F2D.exe
PID 784 wrote to memory of 764	784	bdc0968a6b40243c3b54fe554fa7567b.exe	F2D.exe
PID 784 wrote to memory of 764	784	bdc0968a6b40243c3b54fe554fa7567b.exe	F2D.exe
PID 764 wrote to memory of 1332	764	F2D.exe	svchost.exe
PID 764 wrote to memory of 1332	764	F2D.exe	svchost.exe
PID 764 wrote to memory of 1332	764	F2D.exe	svchost.exe
PID 764 wrote to memory of 1332	764	F2D.exe	svchost.exe
PID 1332 wrote to memory of 1904	1332	svchost.exe	3929931926.exe
PID 1332 wrote to memory of 1904	1332	svchost.exe	3929931926.exe
PID 1332 wrote to memory of 1904	1332	svchost.exe	3929931926.exe
PID 1332 wrote to memory of 1904	1332	svchost.exe	3929931926.exe
PID 1332 wrote to memory of 848	1332	svchost.exe	1832623972.exe
PID 1332 wrote to memory of 848	1332	svchost.exe	1832623972.exe
PID 1332 wrote to memory of 848	1332	svchost.exe	1832623972.exe
PID 1332 wrote to memory of 848	1332	svchost.exe	1832623972.exe
PID 1904 wrote to memory of 884	1904	3929931926.exe	svchost.exe
PID 1904 wrote to memory of 884	1904	3929931926.exe	svchost.exe
PID 1904 wrote to memory of 884	1904	3929931926.exe	svchost.exe
PID 1904 wrote to memory of 884	1904	3929931926.exe	svchost.exe
PID 884 wrote to memory of 1640	884	svchost.exe	3284912040.exe
PID 884 wrote to memory of 1640	884	svchost.exe	3284912040.exe
PID 884 wrote to memory of 1640	884	svchost.exe	3284912040.exe
PID 884 wrote to memory of 1640	884	svchost.exe	3284912040.exe
PID 884 wrote to memory of 752	884	svchost.exe	1983638296.exe
PID 884 wrote to memory of 752	884	svchost.exe	1983638296.exe
PID 884 wrote to memory of 752	884	svchost.exe	1983638296.exe
PID 884 wrote to memory of 752	884	svchost.exe	1983638296.exe

C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe
"C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\F2D.exe
"C:\Users\Admin\AppData\Local\Temp\F2D.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764

C:\93902715619932\svchost.exe
C:\93902715619932\svchost.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\3929931926.exe
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1904

C:\2054723263257\svchost.exe
C:\2054723263257\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\3284912040.exe
C:\Users\Admin\AppData\Local\Temp\3284912040.exe
6⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Local\Temp\1983638296.exe
C:\Users\Admin\AppData\Local\Temp\1983638296.exe
6⤵
- Executes dropped EXE
PID:752

C:\Users\Admin\AppData\Local\Temp\1832623972.exe
C:\Users\Admin\AppData\Local\Temp\1832623972.exe
4⤵
- Executes dropped EXE
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2054723263257\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\2054723263257\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\93902715619932\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\93902715619932\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\1[1]
MD5
2275ed13db4f19a4d2b3bfc66deb63d9

SHA1
0dac76d19829e5d40482e0c03c7bfa275196f8bb

SHA256
da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39

SHA512
97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\2[1]
MD5
01b67463f2d156f8967df65d266b0544

SHA1
14862f60b8bbb2336a13697edcaa3bb55edaeb19

SHA256
65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1

SHA512
98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1832623972.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1983638296.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3284912040.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\2054723263257\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\93902715619932\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\Users\Admin\AppData\Local\Temp\1832623972.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
\Users\Admin\AppData\Local\Temp\1983638296.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
\Users\Admin\AppData\Local\Temp\3284912040.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\Users\Admin\AppData\Local\Temp\3929931926.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\Users\Admin\AppData\Local\Temp\F2D.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
memory/752-28-0x0000000000000000-mapping.dmp

Download
memory/764-4-0x0000000000000000-mapping.dmp

Download
memory/848-15-0x0000000000000000-mapping.dmp

Download
memory/884-19-0x0000000000000000-mapping.dmp

Download
memory/1332-8-0x0000000000000000-mapping.dmp

Download
memory/1640-24-0x0000000000000000-mapping.dmp

Download
memory/1904-12-0x0000000000000000-mapping.dmp

Download
memory/1984-2-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp

Filesize
2.5MB

Download