phorphiex | 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
03-02-2021 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1270d03503499a3dc08a3d959ded61f5.exe
Size

35KB
MD5

1270d03503499a3dc08a3d959ded61f5
SHA1

965b86352f0a5aea6969be8466e5318a0152b32a
SHA256

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512

418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 7 IoCs

Processes:

resource	yara_rule
\25532129355871\svchost.exe	family_phorphiex
C:\25532129355871\svchost.exe	family_phorphiex
C:\25532129355871\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1020813230.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1020813230.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\1252720518.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1252720518.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

svchost.exe1020813230.exe1252720518.exe1490735123.exe2773415512.exe1170137648.exe

pid process

1000 svchost.exe
1804 1020813230.exe
1920 1252720518.exe
1380 1490735123.exe
296 2773415512.exe
1296 1170137648.exe
Loads dropped DLL 6 IoCs

Processes:

1270d03503499a3dc08a3d959ded61f5.exesvchost.exe

pid process

776 1270d03503499a3dc08a3d959ded61f5.exe
1000 svchost.exe
1000 svchost.exe
1000 svchost.exe
1000 svchost.exe
1000 svchost.exe

pid	process
1000	svchost.exe
1804	1020813230.exe
1920	1252720518.exe
1380	1490735123.exe
296	2773415512.exe
1296	1170137648.exe

pid	process
776	1270d03503499a3dc08a3d959ded61f5.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1270d03503499a3dc08a3d959ded61f5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\25532129355871\\svchost.exe"	1270d03503499a3dc08a3d959ded61f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\25532129355871\\svchost.exe"	1270d03503499a3dc08a3d959ded61f5.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1490735123.exe

pid process

1380 1490735123.exe
1380 1490735123.exe
1380 1490735123.exe

pid	process
1380	1490735123.exe
1380	1490735123.exe
1380	1490735123.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1270d03503499a3dc08a3d959ded61f5.exesvchost.exe

description	pid	process	target process
PID 776 wrote to memory of 1000	776	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 776 wrote to memory of 1000	776	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 776 wrote to memory of 1000	776	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 776 wrote to memory of 1000	776	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 1000 wrote to memory of 1804	1000	svchost.exe	1020813230.exe
PID 1000 wrote to memory of 1804	1000	svchost.exe	1020813230.exe
PID 1000 wrote to memory of 1804	1000	svchost.exe	1020813230.exe
PID 1000 wrote to memory of 1804	1000	svchost.exe	1020813230.exe
PID 1000 wrote to memory of 1920	1000	svchost.exe	1252720518.exe
PID 1000 wrote to memory of 1920	1000	svchost.exe	1252720518.exe
PID 1000 wrote to memory of 1920	1000	svchost.exe	1252720518.exe
PID 1000 wrote to memory of 1920	1000	svchost.exe	1252720518.exe
PID 1000 wrote to memory of 1380	1000	svchost.exe	1490735123.exe
PID 1000 wrote to memory of 1380	1000	svchost.exe	1490735123.exe
PID 1000 wrote to memory of 1380	1000	svchost.exe	1490735123.exe
PID 1000 wrote to memory of 1380	1000	svchost.exe	1490735123.exe
PID 1000 wrote to memory of 296	1000	svchost.exe	2773415512.exe
PID 1000 wrote to memory of 296	1000	svchost.exe	2773415512.exe
PID 1000 wrote to memory of 296	1000	svchost.exe	2773415512.exe
PID 1000 wrote to memory of 296	1000	svchost.exe	2773415512.exe
PID 1000 wrote to memory of 1296	1000	svchost.exe	1170137648.exe
PID 1000 wrote to memory of 1296	1000	svchost.exe	1170137648.exe
PID 1000 wrote to memory of 1296	1000	svchost.exe	1170137648.exe
PID 1000 wrote to memory of 1296	1000	svchost.exe	1170137648.exe

C:\Users\Admin\AppData\Local\Temp\1270d03503499a3dc08a3d959ded61f5.exe
"C:\Users\Admin\AppData\Local\Temp\1270d03503499a3dc08a3d959ded61f5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776

C:\25532129355871\svchost.exe
C:\25532129355871\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\1020813230.exe
C:\Users\Admin\AppData\Local\Temp\1020813230.exe
3⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Local\Temp\1252720518.exe
C:\Users\Admin\AppData\Local\Temp\1252720518.exe
3⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\1490735123.exe
C:\Users\Admin\AppData\Local\Temp\1490735123.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Users\Admin\AppData\Local\Temp\2773415512.exe
C:\Users\Admin\AppData\Local\Temp\2773415512.exe
3⤵
- Executes dropped EXE
PID:296

C:\Users\Admin\AppData\Local\Temp\1170137648.exe
C:\Users\Admin\AppData\Local\Temp\1170137648.exe
3⤵
- Executes dropped EXE
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\25532129355871\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\25532129355871\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020813230.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1170137648.exe
MD5
eda49f0af7615c2466e06cee3e8bbf79

SHA1
8091d27cd5842328f0e749760ec83ef7feeca4cb

SHA256
1068d6fb0b6367a38d5b723bc16ab84d2d931ca1898f2b52cd1fd690a4668d03

SHA512
4f4b3f6e70b80394e208fb8f10b08ffecee0129998fadec3e641fea1178b92691344097f44d03dddf2eb610987cbb18f2c84044b045808c77f74801ee1ae2a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1252720518.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1490735123.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\2773415512.exe
MD5
01f4959a2587ffe1528144ca155f2df7

SHA1
a92ff68d42499eeb8670b6e4f19489f9d4323679

SHA256
b469c79ab9cceb82f577f01bdcd72226005a42680a78696a938c7b83a81fbc62

SHA512
87a97b9f130ac0bd060768190a131eb3c841eb2f93a859c34b5a3bbfa9b6806d8b434f99a2373395c35353a53908782cc1ca362509e8c40cd9c7e43331b7098b

Download Submit
\25532129355871\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
\Users\Admin\AppData\Local\Temp\1020813230.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
\Users\Admin\AppData\Local\Temp\1170137648.exe
MD5
eda49f0af7615c2466e06cee3e8bbf79

SHA1
8091d27cd5842328f0e749760ec83ef7feeca4cb

SHA256
1068d6fb0b6367a38d5b723bc16ab84d2d931ca1898f2b52cd1fd690a4668d03

SHA512
4f4b3f6e70b80394e208fb8f10b08ffecee0129998fadec3e641fea1178b92691344097f44d03dddf2eb610987cbb18f2c84044b045808c77f74801ee1ae2a67

Download Submit
\Users\Admin\AppData\Local\Temp\1252720518.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
\Users\Admin\AppData\Local\Temp\1490735123.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
\Users\Admin\AppData\Local\Temp\2773415512.exe
MD5
01f4959a2587ffe1528144ca155f2df7

SHA1
a92ff68d42499eeb8670b6e4f19489f9d4323679

SHA256
b469c79ab9cceb82f577f01bdcd72226005a42680a78696a938c7b83a81fbc62

SHA512
87a97b9f130ac0bd060768190a131eb3c841eb2f93a859c34b5a3bbfa9b6806d8b434f99a2373395c35353a53908782cc1ca362509e8c40cd9c7e43331b7098b

Download Submit
memory/296-27-0x0000000000000000-mapping.dmp

Download
memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1000-5-0x0000000000000000-mapping.dmp

Download
memory/1296-31-0x0000000000000000-mapping.dmp

Download
memory/1380-18-0x0000000000000000-mapping.dmp

Download
memory/1380-20-0x0000000001EB0000-0x0000000001EC1000-memory.dmp

Filesize
68KB

Download
memory/1380-21-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/1380-22-0x0000000001EB0000-0x0000000001EC1000-memory.dmp

Filesize
68KB

Download
memory/1432-3-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-10-0x0000000000000000-mapping.dmp

Download
memory/1920-14-0x0000000000000000-mapping.dmp

Download