phorphiex | 3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00623df2e344a8af515ce1c48b97541b.exe
Size

75KB
MD5

00623df2e344a8af515ce1c48b97541b
SHA1

a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA256

3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA512

3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
SSDEEP

1536:g53Mz8y5D0FLcNU33CxcuxrMhenfF3I8eeeeeeeeeeeeeeeeeeeWeeeee:BwLFLQs3vuxrPnfF3

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exesysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

Executes dropped EXE 5 IoCs

Processes:

sysagrsv.exe1621913090.exe1216712185.exesysagrsv.exe2039332891.exe

pid process

3776 sysagrsv.exe
4956 1621913090.exe
604 1216712185.exe
4612 sysagrsv.exe
3504 2039332891.exe

pid	process
3776	sysagrsv.exe
4956	1621913090.exe
604	1216712185.exe
4612	sysagrsv.exe
3504	2039332891.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exesysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00623df2e344a8af515ce1c48b97541b.exe1216712185.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	00623df2e344a8af515ce1c48b97541b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysagrsv.exe"	1216712185.exe

Drops file in Windows directory 3 IoCs

Processes:

00623df2e344a8af515ce1c48b97541b.exe1216712185.exe

description	ioc	process
File created	C:\Windows\sysagrsv.exe	00623df2e344a8af515ce1c48b97541b.exe
File opened for modification	C:\Windows\sysagrsv.exe	00623df2e344a8af515ce1c48b97541b.exe
File created	C:\Windows\sysagrsv.exe	1216712185.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

00623df2e344a8af515ce1c48b97541b.exesysagrsv.exe1216712185.exesysagrsv.exe

description	pid	process	target process
PID 3836 wrote to memory of 3776	3836	00623df2e344a8af515ce1c48b97541b.exe	sysagrsv.exe
PID 3836 wrote to memory of 3776	3836	00623df2e344a8af515ce1c48b97541b.exe	sysagrsv.exe
PID 3836 wrote to memory of 3776	3836	00623df2e344a8af515ce1c48b97541b.exe	sysagrsv.exe
PID 3776 wrote to memory of 4956	3776	sysagrsv.exe	1621913090.exe
PID 3776 wrote to memory of 4956	3776	sysagrsv.exe	1621913090.exe
PID 3776 wrote to memory of 4956	3776	sysagrsv.exe	1621913090.exe
PID 3776 wrote to memory of 604	3776	sysagrsv.exe	1216712185.exe
PID 3776 wrote to memory of 604	3776	sysagrsv.exe	1216712185.exe
PID 3776 wrote to memory of 604	3776	sysagrsv.exe	1216712185.exe
PID 604 wrote to memory of 4612	604	1216712185.exe	sysagrsv.exe
PID 604 wrote to memory of 4612	604	1216712185.exe	sysagrsv.exe
PID 604 wrote to memory of 4612	604	1216712185.exe	sysagrsv.exe
PID 4612 wrote to memory of 3504	4612	sysagrsv.exe	2039332891.exe
PID 4612 wrote to memory of 3504	4612	sysagrsv.exe	2039332891.exe
PID 4612 wrote to memory of 3504	4612	sysagrsv.exe	2039332891.exe

C:\Users\Admin\AppData\Local\Temp\00623df2e344a8af515ce1c48b97541b.exe
"C:\Users\Admin\AppData\Local\Temp\00623df2e344a8af515ce1c48b97541b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\1621913090.exe
C:\Users\Admin\AppData\Local\Temp\1621913090.exe
3⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\1216712185.exe
C:\Users\Admin\AppData\Local\Temp\1216712185.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\sysagrsv.exe
C:\Users\Admin\sysagrsv.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\2039332891.exe
C:\Users\Admin\AppData\Local\Temp\2039332891.exe
5⤵
- Executes dropped EXE
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\1[1]
Filesize
6KB

MD5
35e1609b5e653be9ff4740e5b24dff64

SHA1
5fad868f2b10d73f8189b144009dd19faf846a1a

SHA256
cf9b08b51b1ac1a1819f6891135437eceda332bfdfab1ca6123081e5a0814ccc

SHA512
7846d98e7fa7f34628128bf25ddabe83d6f966e94f7c3140852066d0f01be8d67dd2602897abbb45fba01cf8530a8138e57aace71216f466c02847193863305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1216712185.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\1216712185.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\1621913090.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1621913090.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039332891.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039332891.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\sysagrsv.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
C:\Users\Admin\sysagrsv.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
C:\Users\Admin\tbcmds.dat
Filesize
287B

MD5
9db6d96263b815fb8e0738323a94332a

SHA1
cd82591930c91bcb65dc2dfc6673facd0e6e0dfa

SHA256
fea26beea3999270022cb91f08a8f8f3ac6e25ad7440d0a8bbfc1c011caa0061

SHA512
c8cece250d245c1c696378ef5fd9bbc8410d6b3f7bf66b7341d7c07b076f806c3a50098203f260e80119dfa25da4019cd44fb524334e5ff301c42743563aaff1

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
4KB

MD5
42bfb79858b490367ee945daf35b7bb0

SHA1
c3b03784c46e86071ac2d1d822b617e29d604b4a

SHA256
a24b9a3e4f230be24811a4622c11d630d96948345e1798152ad6ecd769ebf50a

SHA512
23b9bcf4cdb8ac75c1abba6cd27ed7c07090227ccb69e4979ed6685137771774ed0e161ebd6ea1fd10e768682497d93f4fa24749e808f396be2eb61a0d592691

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
00623df2e344a8af515ce1c48b97541b

SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1

SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe

SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10

Download Submit
memory/604-138-0x0000000000000000-mapping.dmp

Download
memory/3504-145-0x0000000000000000-mapping.dmp

Download
memory/3776-132-0x0000000000000000-mapping.dmp

Download
memory/4612-141-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000000000000-mapping.dmp

Download