phorphiex | abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

Target

t.exe
Size

100KB
MD5

ee0a1ec859b753abc30847157d81f37c
SHA1

2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256

abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512

6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\76831245121863\lsass.exe	family_phorphiex
C:\76831245121863\lsass.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3817310502.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3817310502.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2799210394.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2799210394.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

lsass.exe3817310502.exe2799210394.exe

pid process

2412 lsass.exe
4072 3817310502.exe
4012 2799210394.exe

pid	process
2412	lsass.exe
4072	3817310502.exe
4012	2799210394.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

t.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\76831245121863\\lsass.exe"	t.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\76831245121863\\lsass.exe"	t.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

t.exelsass.exe

description	pid	process	target process
PID 4024 wrote to memory of 2412	4024	t.exe	lsass.exe
PID 4024 wrote to memory of 2412	4024	t.exe	lsass.exe
PID 4024 wrote to memory of 2412	4024	t.exe	lsass.exe
PID 2412 wrote to memory of 4072	2412	lsass.exe	3817310502.exe
PID 2412 wrote to memory of 4072	2412	lsass.exe	3817310502.exe
PID 2412 wrote to memory of 4072	2412	lsass.exe	3817310502.exe
PID 2412 wrote to memory of 4012	2412	lsass.exe	2799210394.exe
PID 2412 wrote to memory of 4012	2412	lsass.exe	2799210394.exe
PID 2412 wrote to memory of 4012	2412	lsass.exe	2799210394.exe

C:\Users\Admin\AppData\Local\Temp\t.exe
"C:\Users\Admin\AppData\Local\Temp\t.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\76831245121863\lsass.exe
C:\76831245121863\lsass.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\3817310502.exe
C:\Users\Admin\AppData\Local\Temp\3817310502.exe
3⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\2799210394.exe
C:\Users\Admin\AppData\Local\Temp\2799210394.exe
3⤵
- Executes dropped EXE
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\76831245121863\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\76831245121863\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2799210394.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2799210394.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3817310502.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3817310502.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
memory/2412-114-0x0000000000000000-mapping.dmp

Download
memory/4012-120-0x0000000000000000-mapping.dmp

Download
memory/4072-117-0x0000000000000000-mapping.dmp

Download