phorphiex | 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945

General

Target

24fe67e5b75b240e8bc12d76fe5b1e42.exe
Size

34KB
MD5

24fe67e5b75b240e8bc12d76fe5b1e42
SHA1

f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256

7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512

a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 3 IoCs

Processes:

resource	yara_rule
\11419251091121\svchost.exe	family_phorphiex
C:\11419251091121\svchost.exe	family_phorphiex
C:\11419251091121\svchost.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

756 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

24fe67e5b75b240e8bc12d76fe5b1e42.exe

pid process

1204 24fe67e5b75b240e8bc12d76fe5b1e42.exe

pid	process
756	svchost.exe

pid	process
1204	24fe67e5b75b240e8bc12d76fe5b1e42.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24fe67e5b75b240e8bc12d76fe5b1e42.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe"	24fe67e5b75b240e8bc12d76fe5b1e42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe"	24fe67e5b75b240e8bc12d76fe5b1e42.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

24fe67e5b75b240e8bc12d76fe5b1e42.exe

description	pid	process	target process
PID 1204 wrote to memory of 756	1204	24fe67e5b75b240e8bc12d76fe5b1e42.exe	svchost.exe
PID 1204 wrote to memory of 756	1204	24fe67e5b75b240e8bc12d76fe5b1e42.exe	svchost.exe
PID 1204 wrote to memory of 756	1204	24fe67e5b75b240e8bc12d76fe5b1e42.exe	svchost.exe
PID 1204 wrote to memory of 756	1204	24fe67e5b75b240e8bc12d76fe5b1e42.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe
"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204

C:\11419251091121\svchost.exe
C:\11419251091121\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\11419251091121\svchost.exe
MD5
24fe67e5b75b240e8bc12d76fe5b1e42

SHA1
f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d

SHA256
7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945

SHA512
a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

Download Submit
C:\11419251091121\svchost.exe
MD5
24fe67e5b75b240e8bc12d76fe5b1e42

SHA1
f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d

SHA256
7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945

SHA512
a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

Download Submit
\11419251091121\svchost.exe
MD5
24fe67e5b75b240e8bc12d76fe5b1e42

SHA1
f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d

SHA256
7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945

SHA512
a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

Download Submit
memory/756-4-0x0000000000000000-mapping.dmp

Download
memory/1364-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads