phorphiex | 78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-01-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e085c86990a0c1bd74cc290eaef3144f.exe
Size

6KB
MD5

e085c86990a0c1bd74cc290eaef3144f
SHA1

1ad534abb623d127685f6a4dd7e1fdd751940e52
SHA256

78a973ace68c9666e5ec28c53be0d2d36bde2d419c10fa6ed939156d199a18ef
SHA512

5cf35ea9b791503a181f5cee5db2dad261cf42368932ebbe3a8d7d214368f5493fc2f663ab900ae4e6247114334c79662eaec0b0d03f2e0e2799feba1c1cc783
SSDEEP

96:ebd1t761bndKil7aBcxu0PtboynuYUBtCt:8t7Yb975u0P1oynfUBM

Score

10^/10

phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

syswsvdrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syswsvdrv.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

2479230187.exesyswsvdrv.exe146885537.exeWindows Security Updates.exeWindows Security Updates.exeWindows Security Updates.exe

pid	process
908	2479230187.exe
268	syswsvdrv.exe
656	146885537.exe
1120	Windows Security Updates.exe
1640	Windows Security Updates.exe
1800	Windows Security Updates.exe

Loads dropped DLL 6 IoCs

Processes:

e085c86990a0c1bd74cc290eaef3144f.exesyswsvdrv.exe146885537.exe

pid	process
1792	e085c86990a0c1bd74cc290eaef3144f.exe
1792	e085c86990a0c1bd74cc290eaef3144f.exe
268	syswsvdrv.exe
656	146885537.exe
656	146885537.exe
656	146885537.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

syswsvdrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syswsvdrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syswsvdrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2479230187.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syswsvdrv.exe"	2479230187.exe

Drops file in Windows directory 2 IoCs

Processes:

2479230187.exe

description ioc process

File created C:\Windows\syswsvdrv.exe 2479230187.exe
File opened for modification C:\Windows\syswsvdrv.exe 2479230187.exe

description	ioc	process
File created	C:\Windows\syswsvdrv.exe	2479230187.exe
File opened for modification	C:\Windows\syswsvdrv.exe	2479230187.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e085c86990a0c1bd74cc290eaef3144f.exe2479230187.exesyswsvdrv.exe146885537.exe

description	pid	process	target process
PID 1792 wrote to memory of 908	1792	e085c86990a0c1bd74cc290eaef3144f.exe	2479230187.exe
PID 1792 wrote to memory of 908	1792	e085c86990a0c1bd74cc290eaef3144f.exe	2479230187.exe
PID 1792 wrote to memory of 908	1792	e085c86990a0c1bd74cc290eaef3144f.exe	2479230187.exe
PID 1792 wrote to memory of 908	1792	e085c86990a0c1bd74cc290eaef3144f.exe	2479230187.exe
PID 908 wrote to memory of 268	908	2479230187.exe	syswsvdrv.exe
PID 908 wrote to memory of 268	908	2479230187.exe	syswsvdrv.exe
PID 908 wrote to memory of 268	908	2479230187.exe	syswsvdrv.exe
PID 908 wrote to memory of 268	908	2479230187.exe	syswsvdrv.exe
PID 268 wrote to memory of 656	268	syswsvdrv.exe	146885537.exe
PID 268 wrote to memory of 656	268	syswsvdrv.exe	146885537.exe
PID 268 wrote to memory of 656	268	syswsvdrv.exe	146885537.exe
PID 268 wrote to memory of 656	268	syswsvdrv.exe	146885537.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1120	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1640	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe
PID 656 wrote to memory of 1800	656	146885537.exe	Windows Security Updates.exe

C:\Users\Admin\AppData\Local\Temp\e085c86990a0c1bd74cc290eaef3144f.exe
"C:\Users\Admin\AppData\Local\Temp\e085c86990a0c1bd74cc290eaef3144f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\2479230187.exe
C:\Users\Admin\AppData\Local\Temp\2479230187.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\syswsvdrv.exe
C:\Windows\syswsvdrv.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\146885537.exe
C:\Users\Admin\AppData\Local\Temp\146885537.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"
5⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"
5⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe"
5⤵
- Executes dropped EXE
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\146885537.exe
Filesize
6KB

MD5
2a5dabdfbfac8e72189748ec204d3d7c

SHA1
e11015e684fe8998c350c507c105cb5752298515

SHA256
b45e02bdfabecfe7dfaa005af42b4500fe940bbfc8a1f7d6e9b242042a2e9618

SHA512
19ff2cf0f8eec341c50deb15fe24009b04e9c8f3ae71c9a61eb3fe567910035bdaf86e31993d388cab2c3c6648d24723469016333cbff932e20a330bc64ad312

Download Submit
C:\Users\Admin\AppData\Local\Temp\2479230187.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\2479230187.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
C:\Windows\syswsvdrv.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
C:\Windows\syswsvdrv.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
\Users\Admin\AppData\Local\Temp\146885537.exe
Filesize
6KB

MD5
2a5dabdfbfac8e72189748ec204d3d7c

SHA1
e11015e684fe8998c350c507c105cb5752298515

SHA256
b45e02bdfabecfe7dfaa005af42b4500fe940bbfc8a1f7d6e9b242042a2e9618

SHA512
19ff2cf0f8eec341c50deb15fe24009b04e9c8f3ae71c9a61eb3fe567910035bdaf86e31993d388cab2c3c6648d24723469016333cbff932e20a330bc64ad312

Download Submit
\Users\Admin\AppData\Local\Temp\2479230187.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
\Users\Admin\AppData\Local\Temp\2479230187.exe
Filesize
74KB

MD5
024def417ae82e4c14a313a153d8984c

SHA1
ce7c071cbd60c7864a1e8a99f7496d3ad166a3ae

SHA256
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72

SHA512
0f3429a77e168bd5b800b8a611a61c327907c9fc35e4351189bd379aaea82ced1e0abd5c5fb2baf1e7796aa09d9cf9cd9feab26cbb82035bd352ab5f7399e400

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Updates.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
memory/268-61-0x0000000000000000-mapping.dmp

Download
memory/656-66-0x0000000000000000-mapping.dmp

Download
memory/908-57-0x0000000000000000-mapping.dmp

Download
memory/1120-70-0x0000000000000000-mapping.dmp

Download
memory/1640-73-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1800-76-0x0000000000000000-mapping.dmp

Download