phorphiex | fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
29-11-2020 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

465c8cac1040a56b514c0998b998550a.exe
Size

417KB
MD5

465c8cac1040a56b514c0998b998550a
SHA1

41c27cfc57fb605d62accbb184875f57e49cc235
SHA256

fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1
SHA512

5d948a544aea4eb4fc87e2ee248f4b0e67047bc4c5837f3bdcc46a5e7f7efb7d8afde5e9ba0b1571d12dc6f9283a39f11b3320c748e2a769cf4c0a6b268f2498

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\2B54.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2B54.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2B54.exe	family_phorphiex
\4674217239782\svchost.exe	family_phorphiex
C:\4674217239782\svchost.exe	family_phorphiex
C:\4674217239782\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1193721419.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1193721419.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1193721419.exe	family_phorphiex
\220592644020915\svchost.exe	family_phorphiex
C:\220592644020915\svchost.exe	family_phorphiex
C:\220592644020915\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1576829447.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1576829447.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 7 IoCs

Processes:

2B54.exesvchost.exe1193721419.exe2132838141.exesvchost.exe1576829447.exe1457310523.exe

pid process

268 2B54.exe
928 svchost.exe
1596 1193721419.exe
1536 2132838141.exe
1632 svchost.exe
1604 1576829447.exe
1320 1457310523.exe
Loads dropped DLL 7 IoCs

Processes:

465c8cac1040a56b514c0998b998550a.exe2B54.exesvchost.exe1193721419.exesvchost.exe

pid process

1696 465c8cac1040a56b514c0998b998550a.exe
268 2B54.exe
928 svchost.exe
928 svchost.exe
1596 1193721419.exe
1632 svchost.exe
1632 svchost.exe

pid	process
268	2B54.exe
928	svchost.exe
1596	1193721419.exe
1536	2132838141.exe
1632	svchost.exe
1604	1576829447.exe
1320	1457310523.exe

pid	process
1696	465c8cac1040a56b514c0998b998550a.exe
268	2B54.exe
928	svchost.exe
928	svchost.exe
1596	1193721419.exe
1632	svchost.exe
1632	svchost.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2B54.exe1193721419.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\4674217239782\\svchost.exe"	2B54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\4674217239782\\svchost.exe"	2B54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\220592644020915\\svchost.exe"	1193721419.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\220592644020915\\svchost.exe"	1193721419.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

465c8cac1040a56b514c0998b998550a.exe

pid process

1696 465c8cac1040a56b514c0998b998550a.exe

pid	process
1696	465c8cac1040a56b514c0998b998550a.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

465c8cac1040a56b514c0998b998550a.exe2B54.exesvchost.exe1193721419.exesvchost.exe

description	pid	process	target process
PID 1696 wrote to memory of 268	1696	465c8cac1040a56b514c0998b998550a.exe	2B54.exe
PID 1696 wrote to memory of 268	1696	465c8cac1040a56b514c0998b998550a.exe	2B54.exe
PID 1696 wrote to memory of 268	1696	465c8cac1040a56b514c0998b998550a.exe	2B54.exe
PID 1696 wrote to memory of 268	1696	465c8cac1040a56b514c0998b998550a.exe	2B54.exe
PID 268 wrote to memory of 928	268	2B54.exe	svchost.exe
PID 268 wrote to memory of 928	268	2B54.exe	svchost.exe
PID 268 wrote to memory of 928	268	2B54.exe	svchost.exe
PID 268 wrote to memory of 928	268	2B54.exe	svchost.exe
PID 928 wrote to memory of 1596	928	svchost.exe	1193721419.exe
PID 928 wrote to memory of 1596	928	svchost.exe	1193721419.exe
PID 928 wrote to memory of 1596	928	svchost.exe	1193721419.exe
PID 928 wrote to memory of 1596	928	svchost.exe	1193721419.exe
PID 928 wrote to memory of 1536	928	svchost.exe	2132838141.exe
PID 928 wrote to memory of 1536	928	svchost.exe	2132838141.exe
PID 928 wrote to memory of 1536	928	svchost.exe	2132838141.exe
PID 928 wrote to memory of 1536	928	svchost.exe	2132838141.exe
PID 1596 wrote to memory of 1632	1596	1193721419.exe	svchost.exe
PID 1596 wrote to memory of 1632	1596	1193721419.exe	svchost.exe
PID 1596 wrote to memory of 1632	1596	1193721419.exe	svchost.exe
PID 1596 wrote to memory of 1632	1596	1193721419.exe	svchost.exe
PID 1632 wrote to memory of 1604	1632	svchost.exe	1576829447.exe
PID 1632 wrote to memory of 1604	1632	svchost.exe	1576829447.exe
PID 1632 wrote to memory of 1604	1632	svchost.exe	1576829447.exe
PID 1632 wrote to memory of 1604	1632	svchost.exe	1576829447.exe
PID 1632 wrote to memory of 1320	1632	svchost.exe	1457310523.exe
PID 1632 wrote to memory of 1320	1632	svchost.exe	1457310523.exe
PID 1632 wrote to memory of 1320	1632	svchost.exe	1457310523.exe
PID 1632 wrote to memory of 1320	1632	svchost.exe	1457310523.exe

C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe
"C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\2B54.exe
"C:\Users\Admin\AppData\Local\Temp\2B54.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:268

C:\4674217239782\svchost.exe
C:\4674217239782\svchost.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\1193721419.exe
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596

C:\220592644020915\svchost.exe
C:\220592644020915\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\1576829447.exe
C:\Users\Admin\AppData\Local\Temp\1576829447.exe
6⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\1457310523.exe
C:\Users\Admin\AppData\Local\Temp\1457310523.exe
6⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\2132838141.exe
C:\Users\Admin\AppData\Local\Temp\2132838141.exe
4⤵
- Executes dropped EXE
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\220592644020915\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\220592644020915\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\4674217239782\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\4674217239782\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\1[1]
MD5
2275ed13db4f19a4d2b3bfc66deb63d9

SHA1
0dac76d19829e5d40482e0c03c7bfa275196f8bb

SHA256
da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39

SHA512
97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\2[1]
MD5
01b67463f2d156f8967df65d266b0544

SHA1
14862f60b8bbb2336a13697edcaa3bb55edaeb19

SHA256
65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1

SHA512
98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\1457310523.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1576829447.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\2132838141.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B54.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B54.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\220592644020915\svchost.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\4674217239782\svchost.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
\Users\Admin\AppData\Local\Temp\1193721419.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\Users\Admin\AppData\Local\Temp\1457310523.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
\Users\Admin\AppData\Local\Temp\1576829447.exe
MD5
2b7a233816d3ea9be1b14bc2ae52ebb8

SHA1
c84ade76f07945c510f52739797484db02393a11

SHA256
311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47

SHA512
d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037

Download Submit
\Users\Admin\AppData\Local\Temp\2132838141.exe
MD5
c692e385134135211b73973cf6c35acb

SHA1
03accccdf6abf730f1af8ccf136ab36ec5ad02ad

SHA256
e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea

SHA512
179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6

Download Submit
\Users\Admin\AppData\Local\Temp\2B54.exe
MD5
10941585e933119c70b14961e91acc82

SHA1
e629db65702a4d84c9313c2918f5851bdb14b49e

SHA256
38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

SHA512
8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

Download Submit
memory/268-4-0x0000000000000000-mapping.dmp

Download
memory/928-8-0x0000000000000000-mapping.dmp

Download
memory/1320-28-0x0000000000000000-mapping.dmp

Download
memory/1536-15-0x0000000000000000-mapping.dmp

Download
memory/1596-12-0x0000000000000000-mapping.dmp

Download
memory/1604-24-0x0000000000000000-mapping.dmp

Download
memory/1632-19-0x0000000000000000-mapping.dmp

Download
memory/2000-2-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

Filesize
2.5MB

Download