phorphiex | ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7v20210408
submitted
03-05-2021 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6569e45a3a38f7168f4c4aa0594627.exe
Size

6KB
MD5

0a6569e45a3a38f7168f4c4aa0594627
SHA1

af8d33d98a8248f1e393337428a742929b02418f
SHA256

ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
SHA512

f0e74357cff0bc9a9c91cc911a6e214ab0fb29d68ab3e51f766d6e77c0e16836402b3c7093d61b988e0eaa1415de8f0766c10164b8730897ffad5c530ce48f07

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 10 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\19981.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\19981.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\19981.exe	family_phorphiex
\36762617210258\lsass.exe	family_phorphiex
C:\36762617210258\lsass.exe	family_phorphiex
C:\36762617210258\lsass.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3792818807.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3792818807.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3367827580.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3367827580.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

19981.exelsass.exe3792818807.exe3367827580.exe

pid process

1684 19981.exe
108 lsass.exe
1612 3792818807.exe
868 3367827580.exe
Loads dropped DLL 4 IoCs

Processes:

0a6569e45a3a38f7168f4c4aa0594627.exe19981.exelsass.exe

pid process

1036 0a6569e45a3a38f7168f4c4aa0594627.exe
1684 19981.exe
108 lsass.exe
108 lsass.exe

pid	process
1684	19981.exe
108	lsass.exe
1612	3792818807.exe
868	3367827580.exe

pid	process
1036	0a6569e45a3a38f7168f4c4aa0594627.exe
1684	19981.exe
108	lsass.exe
108	lsass.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

19981.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\36762617210258\\lsass.exe"	19981.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\36762617210258\\lsass.exe"	19981.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0a6569e45a3a38f7168f4c4aa0594627.exe19981.exelsass.exe

description	pid	process	target process
PID 1036 wrote to memory of 1684	1036	0a6569e45a3a38f7168f4c4aa0594627.exe	19981.exe
PID 1036 wrote to memory of 1684	1036	0a6569e45a3a38f7168f4c4aa0594627.exe	19981.exe
PID 1036 wrote to memory of 1684	1036	0a6569e45a3a38f7168f4c4aa0594627.exe	19981.exe
PID 1036 wrote to memory of 1684	1036	0a6569e45a3a38f7168f4c4aa0594627.exe	19981.exe
PID 1684 wrote to memory of 108	1684	19981.exe	lsass.exe
PID 1684 wrote to memory of 108	1684	19981.exe	lsass.exe
PID 1684 wrote to memory of 108	1684	19981.exe	lsass.exe
PID 1684 wrote to memory of 108	1684	19981.exe	lsass.exe
PID 108 wrote to memory of 1612	108	lsass.exe	3792818807.exe
PID 108 wrote to memory of 1612	108	lsass.exe	3792818807.exe
PID 108 wrote to memory of 1612	108	lsass.exe	3792818807.exe
PID 108 wrote to memory of 1612	108	lsass.exe	3792818807.exe
PID 108 wrote to memory of 868	108	lsass.exe	3367827580.exe
PID 108 wrote to memory of 868	108	lsass.exe	3367827580.exe
PID 108 wrote to memory of 868	108	lsass.exe	3367827580.exe
PID 108 wrote to memory of 868	108	lsass.exe	3367827580.exe

C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe
"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\19981.exe
C:\Users\Admin\AppData\Local\Temp\19981.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684

C:\36762617210258\lsass.exe
C:\36762617210258\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\3792818807.exe
C:\Users\Admin\AppData\Local\Temp\3792818807.exe
4⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\3367827580.exe
C:\Users\Admin\AppData\Local\Temp\3367827580.exe
4⤵
- Executes dropped EXE
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\36762617210258\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\36762617210258\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\19981.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\19981.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3367827580.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3792818807.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\36762617210258\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\Users\Admin\AppData\Local\Temp\19981.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\Users\Admin\AppData\Local\Temp\3367827580.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\Users\Admin\AppData\Local\Temp\3792818807.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
memory/108-67-0x0000000000000000-mapping.dmp

Download
memory/868-76-0x0000000000000000-mapping.dmp

Download
memory/1036-60-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1612-72-0x0000000000000000-mapping.dmp

Download
memory/1684-62-0x0000000000000000-mapping.dmp

Download