phorphiex | 1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

General

Target

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Size

454KB
MD5

749ca850ede36a942a2ff2984313299f
SHA1

b1d42108b09427c61e846b8f4f819cfe78f922a6
SHA256

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b
SHA512

5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Score

10^/10

phorphiex evasion loader persistence suricata trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

Wallets

13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa

qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99

XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE

DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc

0x373b9854c9e4511b920372f5495640cdc25d6832

LSermtCTLWeS683x17AtYuhNT8MpMmVmi8

t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sysymul.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysymul.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-56-0x0000000000400000-0x000000000040E000-memory.dmp	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysymul.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysymul.exe

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

sysymul.exe

pid process

980 sysymul.exe
Loads dropped DLL 1 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

pid process

1724 1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

pid	process
980	sysymul.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysymul.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysymul.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysymul.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2032813068\\sysymul.exe"	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2032813068\\sysymul.exe"	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

Drops file in Windows directory 3 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	ioc	process
File created	C:\Windows\2032813068\sysymul.exe	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
File opened for modification	C:\Windows\2032813068\sysymul.exe	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
File opened for modification	C:\Windows\2032813068	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysymul.exe

pid	process
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe
980	sysymul.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysymul.exe

description	pid	process
Token: SeDebugPrivilege	1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Token: SeDebugPrivilege	980	sysymul.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysymul.exe

pid	process
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
980	sysymul.exe
980	sysymul.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	pid	process	target process
PID 1724 wrote to memory of 980	1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysymul.exe
PID 1724 wrote to memory of 980	1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysymul.exe
PID 1724 wrote to memory of 980	1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysymul.exe
PID 1724 wrote to memory of 980	1724	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysymul.exe

C:\Users\Admin\AppData\Local\Temp\1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
"C:\Users\Admin\AppData\Local\Temp\1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\2032813068\sysymul.exe
  C:\Windows\2032813068\sysymul.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2032813068\sysymul.exe

Filesize
454KB

MD5
749ca850ede36a942a2ff2984313299f

SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6

SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Download Submit
C:\Windows\2032813068\sysymul.exe

Filesize
454KB

MD5
749ca850ede36a942a2ff2984313299f

SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6

SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Download Submit
\Windows\2032813068\sysymul.exe

Filesize
454KB

MD5
749ca850ede36a942a2ff2984313299f

SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6

SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Download Submit
memory/980-63-0x0000000000000000-mapping.dmp

Download
memory/980-67-0x0000000001150000-0x00000000011C8000-memory.dmp

Filesize
480KB

Download
memory/980-73-0x0000000001150000-0x00000000011C8000-memory.dmp

Filesize
480KB

Download
memory/1724-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1724-55-0x0000000001280000-0x00000000012F8000-memory.dmp

Filesize
480KB

Download
memory/1724-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1724-61-0x0000000001280000-0x00000000012F8000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads