phorphiex | 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

Resubmissions

03-02-2021 01:29

210203-m1z3hkw9jj 10

21-01-2021 07:07

210121-q1t8nw8wae 10

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
21-01-2021 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca11a2960b914f9e95a38cfa78aaa6e8.exe
Size

41KB
MD5

ca11a2960b914f9e95a38cfa78aaa6e8
SHA1

ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256

2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512

8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 13 IoCs

Processes:

resource	yara_rule
\292721996713704\svchost.exe	family_phorphiex
C:\292721996713704\svchost.exe	family_phorphiex
C:\292721996713704\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3819225789.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3819225789.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3819225789.exe	family_phorphiex
\65461135930764\svchost.exe	family_phorphiex
C:\65461135930764\svchost.exe	family_phorphiex
C:\65461135930764\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\2780938378.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2780938378.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3811718682.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3811718682.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

svchost.exe3819225789.exesvchost.exe2780938378.exe3811718682.exe3413718160.exe

pid process

648 svchost.exe
1792 3819225789.exe
1584 svchost.exe
604 2780938378.exe
908 3811718682.exe
1976 3413718160.exe
Loads dropped DLL 6 IoCs

Processes:

ca11a2960b914f9e95a38cfa78aaa6e8.exesvchost.exe3819225789.exesvchost.exe

pid process

1064 ca11a2960b914f9e95a38cfa78aaa6e8.exe
648 svchost.exe
1792 3819225789.exe
1584 svchost.exe
1584 svchost.exe
1584 svchost.exe

pid	process
648	svchost.exe
1792	3819225789.exe
1584	svchost.exe
604	2780938378.exe
908	3811718682.exe
1976	3413718160.exe

pid	process
1064	ca11a2960b914f9e95a38cfa78aaa6e8.exe
648	svchost.exe
1792	3819225789.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ca11a2960b914f9e95a38cfa78aaa6e8.exe3819225789.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292721996713704\\svchost.exe"	ca11a2960b914f9e95a38cfa78aaa6e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292721996713704\\svchost.exe"	ca11a2960b914f9e95a38cfa78aaa6e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\65461135930764\\svchost.exe"	3819225789.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\65461135930764\\svchost.exe"	3819225789.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3413718160.exe

pid process

1976 3413718160.exe
1976 3413718160.exe
1976 3413718160.exe

pid	process
1976	3413718160.exe
1976	3413718160.exe
1976	3413718160.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ca11a2960b914f9e95a38cfa78aaa6e8.exesvchost.exe3819225789.exesvchost.exe

description	pid	process	target process
PID 1064 wrote to memory of 648	1064	ca11a2960b914f9e95a38cfa78aaa6e8.exe	svchost.exe
PID 1064 wrote to memory of 648	1064	ca11a2960b914f9e95a38cfa78aaa6e8.exe	svchost.exe
PID 1064 wrote to memory of 648	1064	ca11a2960b914f9e95a38cfa78aaa6e8.exe	svchost.exe
PID 1064 wrote to memory of 648	1064	ca11a2960b914f9e95a38cfa78aaa6e8.exe	svchost.exe
PID 648 wrote to memory of 1792	648	svchost.exe	3819225789.exe
PID 648 wrote to memory of 1792	648	svchost.exe	3819225789.exe
PID 648 wrote to memory of 1792	648	svchost.exe	3819225789.exe
PID 648 wrote to memory of 1792	648	svchost.exe	3819225789.exe
PID 1792 wrote to memory of 1584	1792	3819225789.exe	svchost.exe
PID 1792 wrote to memory of 1584	1792	3819225789.exe	svchost.exe
PID 1792 wrote to memory of 1584	1792	3819225789.exe	svchost.exe
PID 1792 wrote to memory of 1584	1792	3819225789.exe	svchost.exe
PID 1584 wrote to memory of 604	1584	svchost.exe	2780938378.exe
PID 1584 wrote to memory of 604	1584	svchost.exe	2780938378.exe
PID 1584 wrote to memory of 604	1584	svchost.exe	2780938378.exe
PID 1584 wrote to memory of 604	1584	svchost.exe	2780938378.exe
PID 1584 wrote to memory of 908	1584	svchost.exe	3811718682.exe
PID 1584 wrote to memory of 908	1584	svchost.exe	3811718682.exe
PID 1584 wrote to memory of 908	1584	svchost.exe	3811718682.exe
PID 1584 wrote to memory of 908	1584	svchost.exe	3811718682.exe
PID 1584 wrote to memory of 1976	1584	svchost.exe	3413718160.exe
PID 1584 wrote to memory of 1976	1584	svchost.exe	3413718160.exe
PID 1584 wrote to memory of 1976	1584	svchost.exe	3413718160.exe
PID 1584 wrote to memory of 1976	1584	svchost.exe	3413718160.exe

C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe
"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064

C:\292721996713704\svchost.exe
C:\292721996713704\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\3819225789.exe
C:\Users\Admin\AppData\Local\Temp\3819225789.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792

C:\65461135930764\svchost.exe
C:\65461135930764\svchost.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\2780938378.exe
C:\Users\Admin\AppData\Local\Temp\2780938378.exe
5⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\AppData\Local\Temp\3811718682.exe
C:\Users\Admin\AppData\Local\Temp\3811718682.exe
5⤵
- Executes dropped EXE
PID:908

C:\Users\Admin\AppData\Local\Temp\3413718160.exe
C:\Users\Admin\AppData\Local\Temp\3413718160.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\292721996713704\svchost.exe
MD5
ca11a2960b914f9e95a38cfa78aaa6e8

SHA1
ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7

SHA256
2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

SHA512
8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

Download Submit
C:\292721996713704\svchost.exe
MD5
ca11a2960b914f9e95a38cfa78aaa6e8

SHA1
ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7

SHA256
2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

SHA512
8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

Download Submit
C:\65461135930764\svchost.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
C:\65461135930764\svchost.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\1[1]
MD5
8bbde875a2d097ad682ddbfc002b1fa5

SHA1
519835731f9d08bf1fcd2792b168a4547dfe80ee

SHA256
a6c55d3aa8a5f54b72c75769f72cccb9fb03433e2b5fb99282143d2ccb656b6a

SHA512
be534c8fd5894ac18511eae5f103986930875df55a7cfd27800735fb9a40f1b296b573091f6a3235f657a2238b02b74b9c466c1f48bd1c1c09079e276b74435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2780938378.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
C:\Users\Admin\AppData\Local\Temp\3413718160.exe
MD5
60caaf46436402dfd2639937119e7679

SHA1
6f8a3429cd07629036b3f53f47a90c6218e38c78

SHA256
05e762241f8c46db6e1d893b1270d3a4dbd9270bb6df315a185a52caa73c8ceb

SHA512
f21799cd9c0ee27627c4a08e00c3ec9e119b05a111b9c1821379afb64136e76b63da4be74a1b38c6532449313e09c72f89da1c2c5e90de9673053ad540f47047

Download Submit
C:\Users\Admin\AppData\Local\Temp\3811718682.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
C:\Users\Admin\AppData\Local\Temp\3819225789.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
C:\Users\Admin\AppData\Local\Temp\3819225789.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
\292721996713704\svchost.exe
MD5
ca11a2960b914f9e95a38cfa78aaa6e8

SHA1
ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7

SHA256
2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

SHA512
8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

Download Submit
\65461135930764\svchost.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
\Users\Admin\AppData\Local\Temp\2780938378.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
\Users\Admin\AppData\Local\Temp\3413718160.exe
MD5
60caaf46436402dfd2639937119e7679

SHA1
6f8a3429cd07629036b3f53f47a90c6218e38c78

SHA256
05e762241f8c46db6e1d893b1270d3a4dbd9270bb6df315a185a52caa73c8ceb

SHA512
f21799cd9c0ee27627c4a08e00c3ec9e119b05a111b9c1821379afb64136e76b63da4be74a1b38c6532449313e09c72f89da1c2c5e90de9673053ad540f47047

Download Submit
\Users\Admin\AppData\Local\Temp\3811718682.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
\Users\Admin\AppData\Local\Temp\3819225789.exe
MD5
fb232bf61cf722f16aeb69179f497cb9

SHA1
5b91e089c46bd095f238243d8a7e4c63ffa1b120

SHA256
283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c

SHA512
6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

Download Submit
memory/604-21-0x0000000000000000-mapping.dmp

Download
memory/648-5-0x0000000000000000-mapping.dmp

Download
memory/908-25-0x0000000000000000-mapping.dmp

Download
memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmp

Filesize
8KB

Download
memory/1572-3-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

Filesize
2.5MB

Download
memory/1584-15-0x0000000000000000-mapping.dmp

Download
memory/1792-10-0x0000000000000000-mapping.dmp

Download
memory/1976-29-0x0000000000000000-mapping.dmp

Download
memory/1976-31-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/1976-33-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/1976-32-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download