phorphiex | 53cae19aa470b038966c47f8e7361fde1da99f4f54ea97ab3fb7198506ecbc3d

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7cf7d0b57ec48df2c660cbaaa2f921a.exe
Size

1.3MB
MD5

c7cf7d0b57ec48df2c660cbaaa2f921a
SHA1

d0d508fdc7ae75868db9e7f1693982d066723a87
SHA256

53cae19aa470b038966c47f8e7361fde1da99f4f54ea97ab3fb7198506ecbc3d
SHA512

2d69e9e72f16ccea4e9353b50890f29ba9a870fda63e7650a98048caf8ae77ceb26cd939fd9a25806d43ee20f6ed55e175d3c3822337dc1be4aa807994306d71

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\82E1.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\82E1.exe	family_phorphiex
C:\111451198912179\svchost.exe	family_phorphiex
C:\111451198912179\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3146837468.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3146837468.exe	family_phorphiex
C:\2169476693253\svchost.exe	family_phorphiex
C:\2169476693253\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2746511107.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2746511107.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 7 IoCs

Processes:

82E1.exesvchost.exe3146837468.exe2406415636.exesvchost.exe2746511107.exe2728537196.exe

pid process

1672 82E1.exe
2040 svchost.exe
784 3146837468.exe
2132 2406415636.exe
3732 svchost.exe
2248 2746511107.exe
3540 2728537196.exe

pid	process
1672	82E1.exe
2040	svchost.exe
784	3146837468.exe
2132	2406415636.exe
3732	svchost.exe
2248	2746511107.exe
3540	2728537196.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82E1.exe3146837468.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\111451198912179\\svchost.exe"	82E1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2169476693253\\svchost.exe"	3146837468.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2169476693253\\svchost.exe"	3146837468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\111451198912179\\svchost.exe"	82E1.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c7cf7d0b57ec48df2c660cbaaa2f921a.exe82E1.exesvchost.exe3146837468.exesvchost.exe

description	pid	process	target process
PID 636 wrote to memory of 1672	636	c7cf7d0b57ec48df2c660cbaaa2f921a.exe	82E1.exe
PID 636 wrote to memory of 1672	636	c7cf7d0b57ec48df2c660cbaaa2f921a.exe	82E1.exe
PID 636 wrote to memory of 1672	636	c7cf7d0b57ec48df2c660cbaaa2f921a.exe	82E1.exe
PID 1672 wrote to memory of 2040	1672	82E1.exe	svchost.exe
PID 1672 wrote to memory of 2040	1672	82E1.exe	svchost.exe
PID 1672 wrote to memory of 2040	1672	82E1.exe	svchost.exe
PID 2040 wrote to memory of 784	2040	svchost.exe	3146837468.exe
PID 2040 wrote to memory of 784	2040	svchost.exe	3146837468.exe
PID 2040 wrote to memory of 784	2040	svchost.exe	3146837468.exe
PID 2040 wrote to memory of 2132	2040	svchost.exe	2406415636.exe
PID 2040 wrote to memory of 2132	2040	svchost.exe	2406415636.exe
PID 2040 wrote to memory of 2132	2040	svchost.exe	2406415636.exe
PID 784 wrote to memory of 3732	784	3146837468.exe	svchost.exe
PID 784 wrote to memory of 3732	784	3146837468.exe	svchost.exe
PID 784 wrote to memory of 3732	784	3146837468.exe	svchost.exe
PID 3732 wrote to memory of 2248	3732	svchost.exe	2746511107.exe
PID 3732 wrote to memory of 2248	3732	svchost.exe	2746511107.exe
PID 3732 wrote to memory of 2248	3732	svchost.exe	2746511107.exe
PID 3732 wrote to memory of 3540	3732	svchost.exe	2728537196.exe
PID 3732 wrote to memory of 3540	3732	svchost.exe	2728537196.exe
PID 3732 wrote to memory of 3540	3732	svchost.exe	2728537196.exe

C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe
"C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\82E1.exe
"C:\Users\Admin\AppData\Local\Temp\82E1.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\111451198912179\svchost.exe
C:\111451198912179\svchost.exe
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\3146837468.exe
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784

C:\2169476693253\svchost.exe
C:\2169476693253\svchost.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\2746511107.exe
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
6⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\2728537196.exe
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
6⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Temp\2406415636.exe
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
4⤵
- Executes dropped EXE
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\111451198912179\svchost.exe
MD5
6b34c7a8ba353c6f2d54f3226da2f4b8

SHA1
78dbc792083d1cc09ecc9868f2b66b505cabeec1

SHA256
9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76

SHA512
3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096

Download Submit
C:\111451198912179\svchost.exe
MD5
6b34c7a8ba353c6f2d54f3226da2f4b8

SHA1
78dbc792083d1cc09ecc9868f2b66b505cabeec1

SHA256
9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76

SHA512
3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096

Download Submit
C:\2169476693253\svchost.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\2169476693253\svchost.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\1[1]
MD5
88cf10f2f7f1b1dd7082049fc3797f30

SHA1
5fa48dab10bb627219825e9bb4eb9457b1b3cc3f

SHA256
33cfe7bd6f7f77590fb64ebb4bc02a617c431cbdda6547b4a68bd86043cce8db

SHA512
4bb1574a53b32aba04917c3d1c3fc4c58133bcb4a07f0bea0541221f15b51aed71d66ff4816f60c649c09e6ca6e7cdcafadbaf933bca4cce2bee7f387e7cb095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\3[1]
MD5
8f895fe6ebcb1a320c067cdbea383108

SHA1
3fdc140809a3fa47194d9b11646eb0cf6f836465

SHA256
3c73f1483559394143c22887939fcfd0aa231b46125d1e8fba95efed82749a92

SHA512
4c91325f63e54ef665c45243218df10152a21ea81b631eb1de531a111bbbec540f0c3a2595cb4675408485a2f85f9ecebcdd119115b0288330e7f1d944449704

Download Submit
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
MD5
aed34d307811e262601d4fa29587990d

SHA1
36466f4f73cbaeb03e496cafb62bad8c83bb5d73

SHA256
b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05

SHA512
b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
MD5
aed34d307811e262601d4fa29587990d

SHA1
36466f4f73cbaeb03e496cafb62bad8c83bb5d73

SHA256
b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05

SHA512
b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
MD5
aed34d307811e262601d4fa29587990d

SHA1
36466f4f73cbaeb03e496cafb62bad8c83bb5d73

SHA256
b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05

SHA512
b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
MD5
aed34d307811e262601d4fa29587990d

SHA1
36466f4f73cbaeb03e496cafb62bad8c83bb5d73

SHA256
b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05

SHA512
b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
MD5
0d37420a6c390be8ec764780990afba7

SHA1
7f2ebc00c796267b525c36e899af20e8f64d4ff7

SHA256
56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33

SHA512
31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415

Download Submit
C:\Users\Admin\AppData\Local\Temp\82E1.exe
MD5
6b34c7a8ba353c6f2d54f3226da2f4b8

SHA1
78dbc792083d1cc09ecc9868f2b66b505cabeec1

SHA256
9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76

SHA512
3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096

Download Submit
C:\Users\Admin\AppData\Local\Temp\82E1.exe
MD5
6b34c7a8ba353c6f2d54f3226da2f4b8

SHA1
78dbc792083d1cc09ecc9868f2b66b505cabeec1

SHA256
9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76

SHA512
3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096

Download Submit
memory/784-8-0x0000000000000000-mapping.dmp

Download
memory/1672-2-0x0000000000000000-mapping.dmp

Download
memory/2040-5-0x0000000000000000-mapping.dmp

Download
memory/2132-11-0x0000000000000000-mapping.dmp

Download
memory/2248-17-0x0000000000000000-mapping.dmp

Download
memory/3540-20-0x0000000000000000-mapping.dmp

Download
memory/3732-14-0x0000000000000000-mapping.dmp

Download