phorphiex | 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

General

Target

92ec0ad5172f3a97d6656b70c111af98.exe
Size

7KB
MD5

92ec0ad5172f3a97d6656b70c111af98
SHA1

e15fc1668ccdaf70e5831906191f611136b7ac65
SHA256

5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
SHA512

f895ac70eb9c68b9361b32d71c3135f3ccd2f7b676d03061677416b883a1be7a8bad85df8de8202f612ebdfa8564ce77d34f7d5eb9a818fac0098cb4ca856762

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3478027055.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\3478027055.exe	family_phorphiex
C:\13185753226332\smss.exe	family_phorphiex
C:\13185753226332\smss.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3478027055.exesmss.exe

pid process

4008 3478027055.exe
2268 smss.exe

pid	process
4008	3478027055.exe
2268	smss.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3478027055.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe"	3478027055.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe"	3478027055.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

92ec0ad5172f3a97d6656b70c111af98.exe3478027055.exe

description	pid	process	target process
PID 500 wrote to memory of 4008	500	92ec0ad5172f3a97d6656b70c111af98.exe	3478027055.exe
PID 500 wrote to memory of 4008	500	92ec0ad5172f3a97d6656b70c111af98.exe	3478027055.exe
PID 500 wrote to memory of 4008	500	92ec0ad5172f3a97d6656b70c111af98.exe	3478027055.exe
PID 4008 wrote to memory of 2268	4008	3478027055.exe	smss.exe
PID 4008 wrote to memory of 2268	4008	3478027055.exe	smss.exe
PID 4008 wrote to memory of 2268	4008	3478027055.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\3478027055.exe
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008

C:\13185753226332\smss.exe
C:\13185753226332\smss.exe
3⤵
- Executes dropped EXE
- Windows security modification
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\13185753226332\smss.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\13185753226332\smss.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3478027055.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
memory/2268-117-0x0000000000000000-mapping.dmp

Download
memory/4008-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads