phorphiex | ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38

General

Target

0a6569e45a3a38f7168f4c4aa0594627.exe
Size

6KB
MD5

0a6569e45a3a38f7168f4c4aa0594627
SHA1

af8d33d98a8248f1e393337428a742929b02418f
SHA256

ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
SHA512

f0e74357cff0bc9a9c91cc911a6e214ab0fb29d68ab3e51f766d6e77c0e16836402b3c7093d61b988e0eaa1415de8f0766c10164b8730897ffad5c530ce48f07

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\24539.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\24539.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\24539.exe	family_phorphiex
\7997101627193\lsass.exe	family_phorphiex
C:\7997101627193\lsass.exe	family_phorphiex
C:\7997101627193\lsass.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\3919826265.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3919826265.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

24539.exelsass.exe3919826265.exe

pid process

1712 24539.exe
828 lsass.exe
592 3919826265.exe
Loads dropped DLL 3 IoCs

Processes:

0a6569e45a3a38f7168f4c4aa0594627.exe24539.exelsass.exe

pid process

744 0a6569e45a3a38f7168f4c4aa0594627.exe
1712 24539.exe
828 lsass.exe

pid	process
1712	24539.exe
828	lsass.exe
592	3919826265.exe

pid	process
744	0a6569e45a3a38f7168f4c4aa0594627.exe
1712	24539.exe
828	lsass.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

24539.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\7997101627193\\lsass.exe"	24539.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\7997101627193\\lsass.exe"	24539.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0a6569e45a3a38f7168f4c4aa0594627.exe24539.exelsass.exe

description	pid	process	target process
PID 744 wrote to memory of 1712	744	0a6569e45a3a38f7168f4c4aa0594627.exe	24539.exe
PID 744 wrote to memory of 1712	744	0a6569e45a3a38f7168f4c4aa0594627.exe	24539.exe
PID 744 wrote to memory of 1712	744	0a6569e45a3a38f7168f4c4aa0594627.exe	24539.exe
PID 744 wrote to memory of 1712	744	0a6569e45a3a38f7168f4c4aa0594627.exe	24539.exe
PID 1712 wrote to memory of 828	1712	24539.exe	lsass.exe
PID 1712 wrote to memory of 828	1712	24539.exe	lsass.exe
PID 1712 wrote to memory of 828	1712	24539.exe	lsass.exe
PID 1712 wrote to memory of 828	1712	24539.exe	lsass.exe
PID 828 wrote to memory of 592	828	lsass.exe	3919826265.exe
PID 828 wrote to memory of 592	828	lsass.exe	3919826265.exe
PID 828 wrote to memory of 592	828	lsass.exe	3919826265.exe
PID 828 wrote to memory of 592	828	lsass.exe	3919826265.exe

C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe
"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\24539.exe
C:\Users\Admin\AppData\Local\Temp\24539.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\7997101627193\lsass.exe
C:\7997101627193\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\3919826265.exe
C:\Users\Admin\AppData\Local\Temp\3919826265.exe
4⤵
- Executes dropped EXE
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7997101627193\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\7997101627193\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\24539.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\24539.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3919826265.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\7997101627193\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\Users\Admin\AppData\Local\Temp\24539.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\Users\Admin\AppData\Local\Temp\3919826265.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
memory/592-71-0x0000000000000000-mapping.dmp

Download
memory/744-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/828-66-0x0000000000000000-mapping.dmp

Download
memory/1712-61-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads