phorphiex | 1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

General

Target

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Size

454KB
MD5

749ca850ede36a942a2ff2984313299f
SHA1

b1d42108b09427c61e846b8f4f819cfe78f922a6
SHA256

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b
SHA512

5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Score

10^/10

phorphiex evasion loader persistence suricata trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

Wallets

13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa

qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99

XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE

DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc

0x373b9854c9e4511b920372f5495640cdc25d6832

LSermtCTLWeS683x17AtYuhNT8MpMmVmi8

t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sysxhsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysxhsm.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2172-132-0x0000000000400000-0x000000000040E000-memory.dmp	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysxhsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysxhsm.exe

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Executes dropped EXE 1 IoCs

Processes:

sysxhsm.exe

pid process

3240 sysxhsm.exe

pid	process
3240	sysxhsm.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysxhsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysxhsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysxhsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\16531652\\sysxhsm.exe"	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\16531652\\sysxhsm.exe"	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

Drops file in Windows directory 3 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	ioc	process
File created	C:\Windows\16531652\sysxhsm.exe	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
File opened for modification	C:\Windows\16531652\sysxhsm.exe	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
File opened for modification	C:\Windows\16531652	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysxhsm.exe

pid	process
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe
3240	sysxhsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysxhsm.exe

description	pid	process
Token: SeDebugPrivilege	2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
Token: SeDebugPrivilege	3240	sysxhsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exesysxhsm.exe

pid	process
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
3240	sysxhsm.exe
3240	sysxhsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe

description	pid	process	target process
PID 2172 wrote to memory of 3240	2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysxhsm.exe
PID 2172 wrote to memory of 3240	2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysxhsm.exe
PID 2172 wrote to memory of 3240	2172	1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe	sysxhsm.exe

C:\Users\Admin\AppData\Local\Temp\1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe
"C:\Users\Admin\AppData\Local\Temp\1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\16531652\sysxhsm.exe
  C:\Windows\16531652\sysxhsm.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\16531652\sysxhsm.exe

Filesize
454KB

MD5
749ca850ede36a942a2ff2984313299f

SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6

SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Download Submit
C:\Windows\16531652\sysxhsm.exe

Filesize
454KB

MD5
749ca850ede36a942a2ff2984313299f

SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6

SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b

SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea

Download Submit
memory/2172-130-0x00000000002F0000-0x0000000000368000-memory.dmp

Filesize
480KB

Download
memory/2172-131-0x00000000002F0000-0x0000000000368000-memory.dmp

Filesize
480KB

Download
memory/2172-132-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3240-137-0x0000000000000000-mapping.dmp

Download
memory/3240-140-0x0000000000BB0000-0x0000000000C28000-memory.dmp

Filesize
480KB

Download
memory/3240-146-0x0000000000BB0000-0x0000000000C28000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads