phorphiex | 68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc

General

Target

SecuriteInfo.com.Win32.KadrBot.3776.11399.exe
Size

73KB
MD5

45fcc38f53e4ba514815477f91618a47
SHA1

e971641482d77987e082289c38388052465b2117
SHA256

68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc
SHA512

99f0a43b7e0bf732a87cbb36c84ec10d72d4e60d3fa805c908597956cdde005d60e225f24d24da5a07747bd5265eeb78edc7e5f5c0da1f005cac5c21ac53f08d
SSDEEP

1536:q3Mz8qPJhOiwf80HUAB0jguYmi159R7wKcfF4:RwEJhOBHpuEHmi1ZEFfF

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/twizt/

Wallets

12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc

1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD

3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg

3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz

qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8

DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG

0xb899fC445a1b61Cdd62266795193203aa72351fE

LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7

r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1

TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5

t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy

AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX

bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k

43ABGVDKXksdy7UTP8aHqkRf4xAVDmKKXBYDRevAadwaLJhHzH4ubZHGLjVpLc5ZWk7TVmHbHHAWUBF78mx1YG4eNbww6fr

GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY

bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky

bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysredvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
1572	sysredvcs.exe
4488	65899346.exe
4652	477333328.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	477333328.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysredvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysredvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysredvcs.exe"	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysredvcs.exe	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe
File opened for modification	C:\Windows\sysredvcs.exe	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1572	2368	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe	81
PID 2368 wrote to memory of 1572	2368	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe	81
PID 2368 wrote to memory of 1572	2368	SecuriteInfo.com.Win32.KadrBot.3776.11399.exe	81
PID 1572 wrote to memory of 4488	1572	sysredvcs.exe	88
PID 1572 wrote to memory of 4488	1572	sysredvcs.exe	88
PID 1572 wrote to memory of 4488	1572	sysredvcs.exe	88
PID 1572 wrote to memory of 4652	1572	sysredvcs.exe	90
PID 1572 wrote to memory of 4652	1572	sysredvcs.exe	90
PID 4652 wrote to memory of 4764	4652	477333328.exe	91
PID 4652 wrote to memory of 4764	4652	477333328.exe	91
PID 4652 wrote to memory of 2016	4652	477333328.exe	93
PID 4652 wrote to memory of 2016	4652	477333328.exe	93
PID 4764 wrote to memory of 2468	4764	cmd.exe	95
PID 4764 wrote to memory of 2468	4764	cmd.exe	95
PID 2016 wrote to memory of 1088	2016	cmd.exe	96
PID 2016 wrote to memory of 1088	2016	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.KadrBot.3776.11399.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.KadrBot.3776.11399.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\sysredvcs.exe
  C:\Windows\sysredvcs.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\65899346.exe
    C:\Users\Admin\AppData\Local\Temp\65899346.exe
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\477333328.exe
    C:\Users\Admin\AppData\Local\Temp\477333328.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /f
        5⤵
        
        PID:2468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "GoogleUpdateTaskMachineQC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "GoogleUpdateTaskMachineQC"
        5⤵
        
        PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\477333328.exe

Filesize
6KB

MD5
6709b681a9066706ccdb2e51ec46abf3

SHA1
1f8f945add7071b731123d6cf5218a97ffa1a27f

SHA256
9cd42d2fda1280b56a3b3a02e8fbe4a85f3bcff978f7d25167696c80d62bbcc9

SHA512
a36bedd4fecbe318e35a45d6f133029488fc2932b3a4a6c106a78ad560543f0f7a922eade637e181b1fe17b24018d20ecaa9c7d762097404b85e27c17197bc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\477333328.exe

Filesize
6KB

MD5
6709b681a9066706ccdb2e51ec46abf3

SHA1
1f8f945add7071b731123d6cf5218a97ffa1a27f

SHA256
9cd42d2fda1280b56a3b3a02e8fbe4a85f3bcff978f7d25167696c80d62bbcc9

SHA512
a36bedd4fecbe318e35a45d6f133029488fc2932b3a4a6c106a78ad560543f0f7a922eade637e181b1fe17b24018d20ecaa9c7d762097404b85e27c17197bc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\65899346.exe

Filesize
6KB

MD5
083b15eab7618da9dc5c8ad941873d1a

SHA1
0f96a825435929e7510e1e8c234b2bc6ae4c049e

SHA256
439426d267966d8ca1a2dee65cc63dc5899b8ed9f07a84662c8c836bb3c77acd

SHA512
44b796689a204ac1d9dfa252b00d5c307710a47133f844f27e05e34bd74ff7f8d76b119ff03564039c09465de2b32e2374647a139fe69ff91e795ebef7cb3b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\65899346.exe

Filesize
6KB

MD5
083b15eab7618da9dc5c8ad941873d1a

SHA1
0f96a825435929e7510e1e8c234b2bc6ae4c049e

SHA256
439426d267966d8ca1a2dee65cc63dc5899b8ed9f07a84662c8c836bb3c77acd

SHA512
44b796689a204ac1d9dfa252b00d5c307710a47133f844f27e05e34bd74ff7f8d76b119ff03564039c09465de2b32e2374647a139fe69ff91e795ebef7cb3b81

Download Submit
C:\Windows\sysredvcs.exe

Filesize
73KB

MD5
45fcc38f53e4ba514815477f91618a47

SHA1
e971641482d77987e082289c38388052465b2117

SHA256
68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc

SHA512
99f0a43b7e0bf732a87cbb36c84ec10d72d4e60d3fa805c908597956cdde005d60e225f24d24da5a07747bd5265eeb78edc7e5f5c0da1f005cac5c21ac53f08d

Download Submit
C:\Windows\sysredvcs.exe

Filesize
73KB

MD5
45fcc38f53e4ba514815477f91618a47

SHA1
e971641482d77987e082289c38388052465b2117

SHA256
68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc

SHA512
99f0a43b7e0bf732a87cbb36c84ec10d72d4e60d3fa805c908597956cdde005d60e225f24d24da5a07747bd5265eeb78edc7e5f5c0da1f005cac5c21ac53f08d

Download Submit
memory/4652-144-0x0000000000D70000-0x0000000000D76000-memory.dmp

Filesize
24KB

Download
memory/4652-149-0x00007FFB3D1C0000-0x00007FFB3DC81000-memory.dmp

Filesize
10.8MB

Download
memory/4652-150-0x00007FFB3D1C0000-0x00007FFB3DC81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads