Overview

overview

10

Static

static

10

f878382efb...41.exe

windows7_x64

10

f878382efb...41.exe

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnsjnsdhh4 10

01-10-2021 16:29

211001-tza3nacdfk 10

Analysis

  • max time kernel
    300s
  • max time network
    303s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    01-10-2021 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe

  • Size

    75KB

  • MD5

    4ece4d073b759e00584078490e1424f8

  • SHA1

    a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc

  • SHA256

    f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241

  • SHA512

    0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

Score
10/10
phorphiexevasionloaderpersistencesuricatatrojanworm

Malware Config

Signatures

  • Phorphiex Payload 2 IoCs
  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
    "C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\131019982546\svchost.exe
      C:\131019982546\svchost.exe
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\1681017508.exe
        C:\Users\Admin\AppData\Local\Temp\1681017508.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Windows\wsecsvcmgr.exe
          C:\Windows\wsecsvcmgr.exe
          4⤵
          • Executes dropped EXE
          • Windows security modification
          PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\131019982546\svchost.exe
    MD5

    4ece4d073b759e00584078490e1424f8

    SHA1

    a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc

    SHA256

    f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241

    SHA512

    0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

    Download Submit
  • C:\131019982546\svchost.exe
    MD5

    4ece4d073b759e00584078490e1424f8

    SHA1

    a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc

    SHA256

    f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241

    SHA512

    0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\1681017508.exe
    MD5

    c532ac418f3e867907c2757a7ca56a53

    SHA1

    0583af526b3825a570237c0d954c445fb30948d3

    SHA256

    555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

    SHA512

    4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\1681017508.exe
    MD5

    c532ac418f3e867907c2757a7ca56a53

    SHA1

    0583af526b3825a570237c0d954c445fb30948d3

    SHA256

    555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

    SHA512

    4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

    Download Submit
  • C:\Windows\wsecsvcmgr.exe
    MD5

    c532ac418f3e867907c2757a7ca56a53

    SHA1

    0583af526b3825a570237c0d954c445fb30948d3

    SHA256

    555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

    SHA512

    4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

    Download Submit
  • C:\Windows\wsecsvcmgr.exe
    MD5

    c532ac418f3e867907c2757a7ca56a53

    SHA1

    0583af526b3825a570237c0d954c445fb30948d3

    SHA256

    555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99

    SHA512

    4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

    Download Submit
  • memory/4012-121-0x0000000000000000-mapping.dmp
    Download
  • memory/4292-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4300-115-0x0000000000000000-mapping.dmp
    Download