phorphiex | 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

Analysis

max time kernel
149s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
03-02-2021 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1270d03503499a3dc08a3d959ded61f5.exe
Size

35KB
MD5

1270d03503499a3dc08a3d959ded61f5
SHA1

965b86352f0a5aea6969be8466e5318a0152b32a
SHA256

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512

418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\18982126630668\svchost.exe	family_phorphiex
C:\18982126630668\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3225838589.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3225838589.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2898422098.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2898422098.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

svchost.exe3225838589.exe2898422098.exe1655535444.exe2336139219.exe2121514995.exe

pid process

3988 svchost.exe
3568 3225838589.exe
3512 2898422098.exe
1308 1655535444.exe
636 2336139219.exe
3796 2121514995.exe

pid	process
3988	svchost.exe
3568	3225838589.exe
3512	2898422098.exe
1308	1655535444.exe
636	2336139219.exe
3796	2121514995.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1270d03503499a3dc08a3d959ded61f5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\18982126630668\\svchost.exe"	1270d03503499a3dc08a3d959ded61f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\18982126630668\\svchost.exe"	1270d03503499a3dc08a3d959ded61f5.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1655535444.exe

pid process

1308 1655535444.exe
1308 1655535444.exe
1308 1655535444.exe
1308 1655535444.exe
1308 1655535444.exe
1308 1655535444.exe

pid	process
1308	1655535444.exe
1308	1655535444.exe
1308	1655535444.exe
1308	1655535444.exe
1308	1655535444.exe
1308	1655535444.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1270d03503499a3dc08a3d959ded61f5.exesvchost.exe

description	pid	process	target process
PID 500 wrote to memory of 3988	500	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 500 wrote to memory of 3988	500	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 500 wrote to memory of 3988	500	1270d03503499a3dc08a3d959ded61f5.exe	svchost.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	3225838589.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	3225838589.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	3225838589.exe
PID 3988 wrote to memory of 3512	3988	svchost.exe	2898422098.exe
PID 3988 wrote to memory of 3512	3988	svchost.exe	2898422098.exe
PID 3988 wrote to memory of 3512	3988	svchost.exe	2898422098.exe
PID 3988 wrote to memory of 1308	3988	svchost.exe	1655535444.exe
PID 3988 wrote to memory of 1308	3988	svchost.exe	1655535444.exe
PID 3988 wrote to memory of 1308	3988	svchost.exe	1655535444.exe
PID 3988 wrote to memory of 636	3988	svchost.exe	2336139219.exe
PID 3988 wrote to memory of 636	3988	svchost.exe	2336139219.exe
PID 3988 wrote to memory of 636	3988	svchost.exe	2336139219.exe
PID 3988 wrote to memory of 3796	3988	svchost.exe	2121514995.exe
PID 3988 wrote to memory of 3796	3988	svchost.exe	2121514995.exe
PID 3988 wrote to memory of 3796	3988	svchost.exe	2121514995.exe

C:\Users\Admin\AppData\Local\Temp\1270d03503499a3dc08a3d959ded61f5.exe
"C:\Users\Admin\AppData\Local\Temp\1270d03503499a3dc08a3d959ded61f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:500

C:\18982126630668\svchost.exe
C:\18982126630668\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\3225838589.exe
C:\Users\Admin\AppData\Local\Temp\3225838589.exe
3⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\2898422098.exe
C:\Users\Admin\AppData\Local\Temp\2898422098.exe
3⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\1655535444.exe
C:\Users\Admin\AppData\Local\Temp\1655535444.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Users\Admin\AppData\Local\Temp\2336139219.exe
C:\Users\Admin\AppData\Local\Temp\2336139219.exe
3⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\2121514995.exe
C:\Users\Admin\AppData\Local\Temp\2121514995.exe
3⤵
- Executes dropped EXE
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\18982126630668\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\18982126630668\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1655535444.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1655535444.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\2121514995.exe
MD5
eda49f0af7615c2466e06cee3e8bbf79

SHA1
8091d27cd5842328f0e749760ec83ef7feeca4cb

SHA256
1068d6fb0b6367a38d5b723bc16ab84d2d931ca1898f2b52cd1fd690a4668d03

SHA512
4f4b3f6e70b80394e208fb8f10b08ffecee0129998fadec3e641fea1178b92691344097f44d03dddf2eb610987cbb18f2c84044b045808c77f74801ee1ae2a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2121514995.exe
MD5
eda49f0af7615c2466e06cee3e8bbf79

SHA1
8091d27cd5842328f0e749760ec83ef7feeca4cb

SHA256
1068d6fb0b6367a38d5b723bc16ab84d2d931ca1898f2b52cd1fd690a4668d03

SHA512
4f4b3f6e70b80394e208fb8f10b08ffecee0129998fadec3e641fea1178b92691344097f44d03dddf2eb610987cbb18f2c84044b045808c77f74801ee1ae2a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2336139219.exe
MD5
01f4959a2587ffe1528144ca155f2df7

SHA1
a92ff68d42499eeb8670b6e4f19489f9d4323679

SHA256
b469c79ab9cceb82f577f01bdcd72226005a42680a78696a938c7b83a81fbc62

SHA512
87a97b9f130ac0bd060768190a131eb3c841eb2f93a859c34b5a3bbfa9b6806d8b434f99a2373395c35353a53908782cc1ca362509e8c40cd9c7e43331b7098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2336139219.exe
MD5
01f4959a2587ffe1528144ca155f2df7

SHA1
a92ff68d42499eeb8670b6e4f19489f9d4323679

SHA256
b469c79ab9cceb82f577f01bdcd72226005a42680a78696a938c7b83a81fbc62

SHA512
87a97b9f130ac0bd060768190a131eb3c841eb2f93a859c34b5a3bbfa9b6806d8b434f99a2373395c35353a53908782cc1ca362509e8c40cd9c7e43331b7098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2898422098.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2898422098.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3225838589.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3225838589.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
memory/636-20-0x0000000000000000-mapping.dmp

Download
memory/1308-15-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1308-16-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1308-14-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1308-11-0x0000000000000000-mapping.dmp

Download
memory/3512-8-0x0000000000000000-mapping.dmp

Download
memory/3568-5-0x0000000000000000-mapping.dmp

Download
memory/3796-23-0x0000000000000000-mapping.dmp

Download
memory/3988-2-0x0000000000000000-mapping.dmp

Download