phorphiex | b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

Analysis

max time kernel
70s
max time network
113s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Size

340KB
MD5

c73cff9e8afd69413185adb5b1ee319b
SHA1

fd0a136d08ede4cb79258252c423de43e1e6f961
SHA256

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f
SHA512

cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://193.32.161.73/

Wallets

1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR

qqsagteh4m6qunmgrrknulafzcdlmzn35yeggvq8qk

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0x05F916216CC4BA6ac89b8093d474E2a1e6121c63

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sysqwxk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysqwxk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysqwxk.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-56-0x00000000003F0000-0x00000000003FD000-memory.dmp	family_phorphiex
behavioral1/memory/1544-68-0x0000000000390000-0x000000000039D000-memory.dmp	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysqwxk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysqwxk.exe

Executes dropped EXE 1 IoCs

Processes:

sysqwxk.exe

pid process

1544 sysqwxk.exe

pid	process
1544	sysqwxk.exe

Loads dropped DLL 7 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exeWerFault.exe

pid	process
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysqwxk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysqwxk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysqwxk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\455421453\\sysqwxk.exe"	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\455421453\\sysqwxk.exe"	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

Drops file in Program Files directory 3 IoCs

Processes:

sysqwxk.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	sysqwxk.exe
File opened for modification	C:\Program Files\7-Zip\7zfm.exe	sysqwxk.exe
File opened for modification	C:\Program Files\7-Zip\7zg.exe	sysqwxk.exe

Drops file in Windows directory 3 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

description	ioc	process
File created	C:\Windows\455421453\sysqwxk.exe	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
File opened for modification	C:\Windows\455421453\sysqwxk.exe	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
File opened for modification	C:\Windows\455421453	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1724 1544 WerFault.exe sysqwxk.exe

pid	pid_target	process	target process
1724	1544	WerFault.exe	sysqwxk.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqwxk.exe

pid	process
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe
1544	sysqwxk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqwxk.exe

description	pid	process
Token: SeDebugPrivilege	1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Token: SeDebugPrivilege	1544	sysqwxk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqwxk.exe

pid	process
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
1544	sysqwxk.exe
1544	sysqwxk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqwxk.exe

description	pid	process	target process
PID 1668 wrote to memory of 1544	1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqwxk.exe
PID 1668 wrote to memory of 1544	1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqwxk.exe
PID 1668 wrote to memory of 1544	1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqwxk.exe
PID 1668 wrote to memory of 1544	1668	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqwxk.exe
PID 1544 wrote to memory of 1724	1544	sysqwxk.exe	WerFault.exe
PID 1544 wrote to memory of 1724	1544	sysqwxk.exe	WerFault.exe
PID 1544 wrote to memory of 1724	1544	sysqwxk.exe	WerFault.exe
PID 1544 wrote to memory of 1724	1544	sysqwxk.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
"C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\455421453\sysqwxk.exe
C:\Windows\455421453\sysqwxk.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1804
3⤵
- Loads dropped DLL
- Program crash
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
C:\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
\Windows\455421453\sysqwxk.exe
Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
memory/1544-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-68-0x0000000000390000-0x000000000039D000-memory.dmp

Filesize
52KB

Download
memory/1544-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-64-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1668-61-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1668-56-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1668-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download