phorphiex | d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
30-03-2021 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
Size

32KB
MD5

f7af1a6fb7947ef70c27da2377c0f80a
SHA1

fe64c65af081e168399ecc7d804a3a5d76ccd6d8
SHA256

d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292
SHA512

abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 9 IoCs

Processes:

resource	yara_rule
\28681921021105\sihost.exe	family_phorphiex
C:\28681921021105\sihost.exe	family_phorphiex
C:\28681921021105\sihost.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\2007632652.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2007632652.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2007632652.exe	family_phorphiex
\224932101319066\spoolsv.exe	family_phorphiex
C:\224932101319066\spoolsv.exe	family_phorphiex
C:\224932101319066\spoolsv.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

sihost.exe2007632652.exespoolsv.exe

pid process

592 sihost.exe
1924 2007632652.exe
1384 spoolsv.exe
Loads dropped DLL 3 IoCs

Processes:

d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exesihost.exe2007632652.exe

pid process

1732 d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
592 sihost.exe
1924 2007632652.exe

pid	process
592	sihost.exe
1924	2007632652.exe
1384	spoolsv.exe

pid	process
1732	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
592	sihost.exe
1924	2007632652.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sihost.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe2007632652.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28681921021105\\sihost.exe"	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28681921021105\\sihost.exe"	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\224932101319066\\spoolsv.exe"	2007632652.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\224932101319066\\spoolsv.exe"	2007632652.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exesihost.exe2007632652.exe

description	pid	process	target process
PID 1732 wrote to memory of 592	1732	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe	sihost.exe
PID 1732 wrote to memory of 592	1732	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe	sihost.exe
PID 1732 wrote to memory of 592	1732	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe	sihost.exe
PID 1732 wrote to memory of 592	1732	d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe	sihost.exe
PID 592 wrote to memory of 1924	592	sihost.exe	2007632652.exe
PID 592 wrote to memory of 1924	592	sihost.exe	2007632652.exe
PID 592 wrote to memory of 1924	592	sihost.exe	2007632652.exe
PID 592 wrote to memory of 1924	592	sihost.exe	2007632652.exe
PID 1924 wrote to memory of 1384	1924	2007632652.exe	spoolsv.exe
PID 1924 wrote to memory of 1384	1924	2007632652.exe	spoolsv.exe
PID 1924 wrote to memory of 1384	1924	2007632652.exe	spoolsv.exe
PID 1924 wrote to memory of 1384	1924	2007632652.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe
"C:\Users\Admin\AppData\Local\Temp\d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\28681921021105\sihost.exe
C:\28681921021105\sihost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\2007632652.exe
C:\Users\Admin\AppData\Local\Temp\2007632652.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\224932101319066\spoolsv.exe
C:\224932101319066\spoolsv.exe
4⤵
- Executes dropped EXE
- Windows security modification
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\224932101319066\spoolsv.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
C:\224932101319066\spoolsv.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
C:\28681921021105\sihost.exe
MD5
f7af1a6fb7947ef70c27da2377c0f80a

SHA1
fe64c65af081e168399ecc7d804a3a5d76ccd6d8

SHA256
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292

SHA512
abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef

Download Submit
C:\28681921021105\sihost.exe
MD5
f7af1a6fb7947ef70c27da2377c0f80a

SHA1
fe64c65af081e168399ecc7d804a3a5d76ccd6d8

SHA256
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292

SHA512
abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\11aa[1]
MD5
68d2660d021d5cca16b5ef45602c900c

SHA1
ab11bc395afd4497b9a285449af1789626d71a8a

SHA256
de1e1f01713a4b1b08c09a32a0a6d05067d54e7593965eddb74160b9a11678a4

SHA512
2e236d60f75801c85daa6b415dcf84d2ac355a5e843fb309be171da5084492b2f5f2382081be61b80c6fb5dd5a30b0a394fd3f87def15dba55a7a7d81a3c44f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2007632652.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2007632652.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
\224932101319066\spoolsv.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
\28681921021105\sihost.exe
MD5
f7af1a6fb7947ef70c27da2377c0f80a

SHA1
fe64c65af081e168399ecc7d804a3a5d76ccd6d8

SHA256
d7b7b8ad980d6fa81ac802328baf991b59f1fd7e8eca03f1f852c181ae608292

SHA512
abf9a990cf834b3e29cbd503dac34e0d62583e7d342e851864ee6d3504272cd399d58cd658c590d23a65f9cd111c431d54fb5803c646f48abab2a8a117bc94ef

Download Submit
\Users\Admin\AppData\Local\Temp\2007632652.exe
MD5
31aa71476e9810b0f599be4f67139c57

SHA1
748e45edea6587dfa2c4ee2783e7695f5428a9d0

SHA256
4772e528ca7c6d8b4d69aa59f212bc6802f1a83c4cdd47a7cfaee7d949b4fbca

SHA512
07405ee17337af148fdfbf95870b5d07e88ea5c34abc107d028f3113f5e82f08c62771deeadd104a0f29646fd44690977e0e28bef595fd6279f21c02bb2862a7

Download Submit
memory/592-5-0x0000000000000000-mapping.dmp

Download
memory/904-3-0x000007FEF6400000-0x000007FEF667A000-memory.dmp

Filesize
2.5MB

Download
memory/1384-15-0x0000000000000000-mapping.dmp

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1924-10-0x0000000000000000-mapping.dmp

Download