phorphiex | 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

General

Target

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
Size

35KB
MD5

1270d03503499a3dc08a3d959ded61f5
SHA1

965b86352f0a5aea6969be8466e5318a0152b32a
SHA256

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512

418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\137731028227822\svchost.exe	family_phorphiex
C:\137731028227822\svchost.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3752234006.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3752234006.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1123332953.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1123332953.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 4 IoCs

Processes:

svchost.exe3752234006.exe1123332953.exe2754722142.exe

pid process

3224 svchost.exe
2788 3752234006.exe
4360 1123332953.exe
3052 2754722142.exe

pid	process
3224	svchost.exe
2788	3752234006.exe
4360	1123332953.exe
3052	2754722142.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\137731028227822\\svchost.exe"	329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\137731028227822\\svchost.exe"	329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2754722142.exe

pid process

3052 2754722142.exe
3052 2754722142.exe
3052 2754722142.exe
3052 2754722142.exe
3052 2754722142.exe
3052 2754722142.exe

pid	process
3052	2754722142.exe
3052	2754722142.exe
3052	2754722142.exe
3052	2754722142.exe
3052	2754722142.exe
3052	2754722142.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exesvchost.exe

description	pid	process	target process
PID 4712 wrote to memory of 3224	4712	329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe	svchost.exe
PID 4712 wrote to memory of 3224	4712	329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe	svchost.exe
PID 4712 wrote to memory of 3224	4712	329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe	svchost.exe
PID 3224 wrote to memory of 2788	3224	svchost.exe	3752234006.exe
PID 3224 wrote to memory of 2788	3224	svchost.exe	3752234006.exe
PID 3224 wrote to memory of 2788	3224	svchost.exe	3752234006.exe
PID 3224 wrote to memory of 4360	3224	svchost.exe	1123332953.exe
PID 3224 wrote to memory of 4360	3224	svchost.exe	1123332953.exe
PID 3224 wrote to memory of 4360	3224	svchost.exe	1123332953.exe
PID 3224 wrote to memory of 3052	3224	svchost.exe	2754722142.exe
PID 3224 wrote to memory of 3052	3224	svchost.exe	2754722142.exe
PID 3224 wrote to memory of 3052	3224	svchost.exe	2754722142.exe

C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
"C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712

C:\137731028227822\svchost.exe
C:\137731028227822\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\3752234006.exe
C:\Users\Admin\AppData\Local\Temp\3752234006.exe
3⤵
- Executes dropped EXE
PID:2788

C:\Users\Admin\AppData\Local\Temp\1123332953.exe
C:\Users\Admin\AppData\Local\Temp\1123332953.exe
3⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\AppData\Local\Temp\2754722142.exe
C:\Users\Admin\AppData\Local\Temp\2754722142.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\137731028227822\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\137731028227822\svchost.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1123332953.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1123332953.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754722142.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\2754722142.exe
MD5
8878c92a4904f6a5ee5afe2b76f86dc3

SHA1
0aad86be67dfe4a80020255ae85314d57ab1690b

SHA256
9eed42c3fe325c8396d77c3519a8673024acbb2a345e078e84061652d2a3dca9

SHA512
19453390764abfb046902ac20ada4db9e726626ca5420f4498def4ca19cecf98720abd8789df22d133098ddb29e1596d0ba78ebafca4cfa3fcb68a76f96a6f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\3752234006.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3752234006.exe
MD5
1270d03503499a3dc08a3d959ded61f5

SHA1
965b86352f0a5aea6969be8466e5318a0152b32a

SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339

SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d

Download Submit
memory/2788-5-0x0000000000000000-mapping.dmp

Download
memory/3052-11-0x0000000000000000-mapping.dmp

Download
memory/3052-15-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/3052-14-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3052-16-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3224-2-0x0000000000000000-mapping.dmp

Download
memory/4360-8-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads