phorphiex | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a50980afb1c6a43cf38872e694bb7db.exe
Size

37KB
MD5

9a50980afb1c6a43cf38872e694bb7db
SHA1

237aa3ee8c912e6f8326782b790327562cef8dd9
SHA256

78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
SHA512

fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 7 IoCs

Processes:

resource	yara_rule
\13371362720595\svchost.exe	family_phorphiex
C:\13371362720595\svchost.exe	family_phorphiex
C:\13371362720595\svchost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3553427902.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3553427902.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\2736435409.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2736435409.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

svchost.exe3553427902.exe2736435409.exe2852011786.exe1545610586.exe

pid process

1456 svchost.exe
824 3553427902.exe
1960 2736435409.exe
1676 2852011786.exe
1020 1545610586.exe
Loads dropped DLL 5 IoCs

Processes:

9a50980afb1c6a43cf38872e694bb7db.exesvchost.exe

pid process

1096 9a50980afb1c6a43cf38872e694bb7db.exe
1456 svchost.exe
1456 svchost.exe
1456 svchost.exe
1456 svchost.exe

pid	process
1456	svchost.exe
824	3553427902.exe
1960	2736435409.exe
1676	2852011786.exe
1020	1545610586.exe

pid	process
1096	9a50980afb1c6a43cf38872e694bb7db.exe
1456	svchost.exe
1456	svchost.exe
1456	svchost.exe
1456	svchost.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9a50980afb1c6a43cf38872e694bb7db.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe"	9a50980afb1c6a43cf38872e694bb7db.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe"	9a50980afb1c6a43cf38872e694bb7db.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2852011786.exe

pid process

1676 2852011786.exe
1676 2852011786.exe
1676 2852011786.exe

pid	process
1676	2852011786.exe
1676	2852011786.exe
1676	2852011786.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9a50980afb1c6a43cf38872e694bb7db.exesvchost.exe

description	pid	process	target process
PID 1096 wrote to memory of 1456	1096	9a50980afb1c6a43cf38872e694bb7db.exe	svchost.exe
PID 1096 wrote to memory of 1456	1096	9a50980afb1c6a43cf38872e694bb7db.exe	svchost.exe
PID 1096 wrote to memory of 1456	1096	9a50980afb1c6a43cf38872e694bb7db.exe	svchost.exe
PID 1096 wrote to memory of 1456	1096	9a50980afb1c6a43cf38872e694bb7db.exe	svchost.exe
PID 1456 wrote to memory of 824	1456	svchost.exe	3553427902.exe
PID 1456 wrote to memory of 824	1456	svchost.exe	3553427902.exe
PID 1456 wrote to memory of 824	1456	svchost.exe	3553427902.exe
PID 1456 wrote to memory of 824	1456	svchost.exe	3553427902.exe
PID 1456 wrote to memory of 1960	1456	svchost.exe	2736435409.exe
PID 1456 wrote to memory of 1960	1456	svchost.exe	2736435409.exe
PID 1456 wrote to memory of 1960	1456	svchost.exe	2736435409.exe
PID 1456 wrote to memory of 1960	1456	svchost.exe	2736435409.exe
PID 1456 wrote to memory of 1676	1456	svchost.exe	2852011786.exe
PID 1456 wrote to memory of 1676	1456	svchost.exe	2852011786.exe
PID 1456 wrote to memory of 1676	1456	svchost.exe	2852011786.exe
PID 1456 wrote to memory of 1676	1456	svchost.exe	2852011786.exe
PID 1456 wrote to memory of 1020	1456	svchost.exe	1545610586.exe
PID 1456 wrote to memory of 1020	1456	svchost.exe	1545610586.exe
PID 1456 wrote to memory of 1020	1456	svchost.exe	1545610586.exe
PID 1456 wrote to memory of 1020	1456	svchost.exe	1545610586.exe

C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe
"C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096

C:\13371362720595\svchost.exe
C:\13371362720595\svchost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\3553427902.exe
C:\Users\Admin\AppData\Local\Temp\3553427902.exe
3⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\AppData\Local\Temp\2736435409.exe
C:\Users\Admin\AppData\Local\Temp\2736435409.exe
3⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\2852011786.exe
C:\Users\Admin\AppData\Local\Temp\2852011786.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Users\Admin\AppData\Local\Temp\1545610586.exe
C:\Users\Admin\AppData\Local\Temp\1545610586.exe
3⤵
- Executes dropped EXE
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\13371362720595\svchost.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
C:\13371362720595\svchost.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1545610586.exe
MD5
959292f2ba7b55140c759ae2f339ea46

SHA1
95c0465226700d89551d6a6022351890a7a25bd3

SHA256
c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457

SHA512
9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343

Download Submit
C:\Users\Admin\AppData\Local\Temp\2736435409.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2852011786.exe
MD5
d6a8c17bb74138c72a215b9aa9a8f2ca

SHA1
131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75

SHA256
24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf

SHA512
e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3553427902.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
\13371362720595\svchost.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
\Users\Admin\AppData\Local\Temp\1545610586.exe
MD5
959292f2ba7b55140c759ae2f339ea46

SHA1
95c0465226700d89551d6a6022351890a7a25bd3

SHA256
c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457

SHA512
9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343

Download Submit
\Users\Admin\AppData\Local\Temp\2736435409.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
\Users\Admin\AppData\Local\Temp\2852011786.exe
MD5
d6a8c17bb74138c72a215b9aa9a8f2ca

SHA1
131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75

SHA256
24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf

SHA512
e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e

Download Submit
\Users\Admin\AppData\Local\Temp\3553427902.exe
MD5
9a50980afb1c6a43cf38872e694bb7db

SHA1
237aa3ee8c912e6f8326782b790327562cef8dd9

SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb

SHA512
fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8

Download Submit
memory/824-10-0x0000000000000000-mapping.dmp

Download
memory/1020-27-0x0000000000000000-mapping.dmp

Download
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1456-5-0x0000000000000000-mapping.dmp

Download
memory/1676-20-0x0000000000750000-0x0000000000761000-memory.dmp

Filesize
68KB

Download
memory/1676-21-0x0000000002080000-0x0000000002091000-memory.dmp

Filesize
68KB

Download
memory/1676-22-0x0000000000750000-0x0000000000761000-memory.dmp

Filesize
68KB

Download
memory/1676-18-0x0000000000000000-mapping.dmp

Download
memory/1684-3-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download
memory/1960-14-0x0000000000000000-mapping.dmp

Download