phorphiex | 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
24-05-2021 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92ec0ad5172f3a97d6656b70c111af98.exe
Size

7KB
MD5

92ec0ad5172f3a97d6656b70c111af98
SHA1

e15fc1668ccdaf70e5831906191f611136b7ac65
SHA256

5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
SHA512

f895ac70eb9c68b9361b32d71c3135f3ccd2f7b676d03061677416b883a1be7a8bad85df8de8202f612ebdfa8564ce77d34f7d5eb9a818fac0098cb4ca856762

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1126038252.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1126038252.exe	family_phorphiex
C:\50781317113831\smss.exe	family_phorphiex
C:\50781317113831\smss.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2648319356.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2648319356.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

1126038252.exesmss.exe2648319356.exe2345614391.exe1290831180.exe1246011076.exe2746621474.exe

pid process

2968 1126038252.exe
3464 smss.exe
2148 2648319356.exe
1924 2345614391.exe
4016 1290831180.exe
3768 1246011076.exe
2704 2746621474.exe

pid	process
2968	1126038252.exe
3464	smss.exe
2148	2648319356.exe
1924	2345614391.exe
4016	1290831180.exe
3768	1246011076.exe
2704	2746621474.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	cmd.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1126038252.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe"	1126038252.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe"	1126038252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

92ec0ad5172f3a97d6656b70c111af98.exe1126038252.exesmss.exe2345614391.exe1290831180.exe1246011076.exe

description	pid	process	target process
PID 2116 wrote to memory of 2968	2116	92ec0ad5172f3a97d6656b70c111af98.exe	1126038252.exe
PID 2116 wrote to memory of 2968	2116	92ec0ad5172f3a97d6656b70c111af98.exe	1126038252.exe
PID 2116 wrote to memory of 2968	2116	92ec0ad5172f3a97d6656b70c111af98.exe	1126038252.exe
PID 2968 wrote to memory of 3464	2968	1126038252.exe	smss.exe
PID 2968 wrote to memory of 3464	2968	1126038252.exe	smss.exe
PID 2968 wrote to memory of 3464	2968	1126038252.exe	smss.exe
PID 3464 wrote to memory of 2148	3464	smss.exe	2648319356.exe
PID 3464 wrote to memory of 2148	3464	smss.exe	2648319356.exe
PID 3464 wrote to memory of 2148	3464	smss.exe	2648319356.exe
PID 3464 wrote to memory of 1924	3464	smss.exe	2345614391.exe
PID 3464 wrote to memory of 1924	3464	smss.exe	2345614391.exe
PID 3464 wrote to memory of 1924	3464	smss.exe	2345614391.exe
PID 1924 wrote to memory of 4016	1924	2345614391.exe	1290831180.exe
PID 1924 wrote to memory of 4016	1924	2345614391.exe	1290831180.exe
PID 1924 wrote to memory of 4016	1924	2345614391.exe	1290831180.exe
PID 4016 wrote to memory of 4012	4016	1290831180.exe	cmd.exe
PID 4016 wrote to memory of 4012	4016	1290831180.exe	cmd.exe
PID 3464 wrote to memory of 3768	3464	smss.exe	1246011076.exe
PID 3464 wrote to memory of 3768	3464	smss.exe	1246011076.exe
PID 3464 wrote to memory of 3768	3464	smss.exe	1246011076.exe
PID 3768 wrote to memory of 2704	3768	1246011076.exe	2746621474.exe
PID 3768 wrote to memory of 2704	3768	1246011076.exe	2746621474.exe
PID 3768 wrote to memory of 2704	3768	1246011076.exe	2746621474.exe

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe
"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\1126038252.exe
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968

C:\50781317113831\smss.exe
C:\50781317113831\smss.exe
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\2648319356.exe
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
4⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\2345614391.exe
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\1290831180.exe
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat C:\Users\Admin\AppData\Local\Temp\1290831180.exe"
6⤵
- Drops startup file
PID:4012

C:\Users\Admin\AppData\Local\Temp\1246011076.exe
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\2746621474.exe
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
5⤵
- Executes dropped EXE
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\50781317113831\smss.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\50781317113831\smss.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1126038252.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
MD5
94bfc6c684e0143e3543c5a3a0af7ccc

SHA1
ac3d8970df78ddf6b299e53e24b14fab9a512673

SHA256
dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801

SHA512
b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1246011076.exe
MD5
94bfc6c684e0143e3543c5a3a0af7ccc

SHA1
ac3d8970df78ddf6b299e53e24b14fab9a512673

SHA256
dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801

SHA512
b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
MD5
d84e11ca2e8970c1b6d1066d5aea11c5

SHA1
36e763db197c2b41e9201fd6603e9f0c9628d429

SHA256
73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518

SHA512
7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1290831180.exe
MD5
d84e11ca2e8970c1b6d1066d5aea11c5

SHA1
36e763db197c2b41e9201fd6603e9f0c9628d429

SHA256
73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518

SHA512
7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
MD5
f3318b4b120c21a6e415153315aef2fb

SHA1
23c6433cf48eb7361b227cf973ec0c977e868ffa

SHA256
069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21

SHA512
227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2345614391.exe
MD5
f3318b4b120c21a6e415153315aef2fb

SHA1
23c6433cf48eb7361b227cf973ec0c977e868ffa

SHA256
069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21

SHA512
227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2648319356.exe
MD5
e28889b5f98d8ed1a00835e1ca8a3b21

SHA1
b665e89468ac7ae566aa996aeec203b25bf24b0c

SHA256
0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73

SHA512
d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
MD5
b1e29e528a7510be3c04dcff622f63ab

SHA1
ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a

SHA256
a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13

SHA512
e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040

Download Submit
C:\Users\Admin\AppData\Local\Temp\2746621474.exe
MD5
b1e29e528a7510be3c04dcff622f63ab

SHA1
ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a

SHA256
a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13

SHA512
e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040

Download Submit
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat
MD5
a317b9bdc3a5e70f5e7964be46b9557d

SHA1
69421493be0fb5e61b498d8c331d0de7d978f886

SHA256
582da2e1c3d3fe2dc565e5fdf109f21ba9bbf8fea5b28a7d8ba98412043f4178

SHA512
c2f3b768b9df2e934f22a73a97c6a4cd062b092175c115dd9f4fa7f8ec8cfff4289286cac88ac62585424f328b2cea3c08decf587345b16bcdcb2ce7deb1fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Defender.exe
MD5
150430cc02f3708fdd8bd79418a8985a

SHA1
ac471b51146c411c9697763dbd0ae9ef919397d9

SHA256
e02d9b5ece07693c4863747dddd58761dfebb2ef729deec937142ad97eabb474

SHA512
d1b972fd2da1ea1fee05657ce63466764c84e135d3c97463f4f1acb164a2ef306ae857b02f9f10628551b0bf29b8ae4715f0d6fa045531ce6189d80218f4d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Process.exe
MD5
d65359ec05a8c4054b14768f4a04676f

SHA1
fc149a785aa8058d626610f5e0add97f4ccb4e91

SHA256
2bb15c50b0b33b900ee8a826fea73017d05f8cb562fb4027b6f1701e49fad73e

SHA512
c50be8d45cc771495057d08b836fc95cbf803c76ed58561b9b958e278c092cc74f387524176fa0d3f21e98904d8da44125e8b9df7db59d239abd3df9d8e667a8

Download Submit
memory/1924-123-0x0000000000000000-mapping.dmp

Download
memory/2148-120-0x0000000000000000-mapping.dmp

Download
memory/2704-136-0x0000000000000000-mapping.dmp

Download
memory/2968-114-0x0000000000000000-mapping.dmp

Download
memory/3464-117-0x0000000000000000-mapping.dmp

Download
memory/3768-133-0x0000000000000000-mapping.dmp

Download
memory/4012-129-0x0000000000000000-mapping.dmp

Download
memory/4016-126-0x0000000000000000-mapping.dmp

Download