phorphiex | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

General

Target

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
Size

949KB
MD5

1daca30b2b6c0ef60e02df04e656e990
SHA1

c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512

7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Phorphiex Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1360-62-0x0000000000400000-0x00000000004EED90-memory.dmp	family_phorphiex
behavioral1/memory/852-74-0x0000000000350000-0x000000000043F000-memory.dmp	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1476 svchost.exe
Loads dropped DLL 4 IoCs

Processes:

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exeWerFault.exe

pid process

1360 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
852 WerFault.exe
852 WerFault.exe
852 WerFault.exe

pid	process
1476	svchost.exe

pid	process
1360	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe"	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe"	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zfm.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zg.exe	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

description	ioc	process
File created	C:\Windows\19483196521428\svchost.exe	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
File opened for modification	C:\Windows\19483196521428\svchost.exe	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
File opened for modification	C:\Windows\19483196521428	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

852 1476 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

852 WerFault.exe
852 WerFault.exe
852 WerFault.exe
852 WerFault.exe
852 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

852 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 852 WerFault.exe

pid	pid_target	process	target process
852	1476	WerFault.exe	svchost.exe

pid	process
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe

pid	process
852	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	852	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exesvchost.exe

description	pid	process	target process
PID 1360 wrote to memory of 1476	1360	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe	svchost.exe
PID 1360 wrote to memory of 1476	1360	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe	svchost.exe
PID 1360 wrote to memory of 1476	1360	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe	svchost.exe
PID 1360 wrote to memory of 1476	1360	0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe	svchost.exe
PID 1476 wrote to memory of 852	1476	svchost.exe	WerFault.exe
PID 1476 wrote to memory of 852	1476	svchost.exe	WerFault.exe
PID 1476 wrote to memory of 852	1476	svchost.exe	WerFault.exe
PID 1476 wrote to memory of 852	1476	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\19483196521428\svchost.exe
C:\Windows\19483196521428\svchost.exe
2⤵
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 840
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
C:\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
\Windows\19483196521428\svchost.exe
MD5
1daca30b2b6c0ef60e02df04e656e990

SHA1
c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9

SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

SHA512
7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

Download Submit
memory/852-70-0x0000000000000000-mapping.dmp

Download
memory/852-74-0x0000000000350000-0x000000000043F000-memory.dmp

Filesize
956KB

Download
memory/1360-62-0x0000000000400000-0x00000000004EED90-memory.dmp

Filesize
955KB

Download
memory/1360-61-0x0000000001EF0000-0x0000000001F0D000-memory.dmp

Filesize
116KB

Download
memory/1360-60-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1476-64-0x0000000000000000-mapping.dmp

Download
memory/1476-67-0x0000000000580000-0x000000000059D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads