phorphiex | e9f02e616deb5c63cb19292ae6f9e8f6f6ee950f8172d1a8607256f6a210e978

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08148dca51b3f5ed007267d13f4f0f3f.exe
Size

6KB
MD5

08148dca51b3f5ed007267d13f4f0f3f
SHA1

ec5a8fc25eb56de6c2fc721229ced12eb9435d6c
SHA256

e9f02e616deb5c63cb19292ae6f9e8f6f6ee950f8172d1a8607256f6a210e978
SHA512

f1f65e7455e2a52c94473e68ccbd097e2fa7b988700551cd79262d99ac545399a94238a42140386d4c7244753c01d0d9175d560ab3bd7e570742cda087bb8468
SSDEEP

96:eaYN1t761bndKyl7ayAcR3PtboynuYUBtCt:Gt7YbN7jz3P1oynfUBM

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

1536526456.exesysagrsv.exe2916231465.exe250285512.exe

pid process

2016 1536526456.exe
1752 sysagrsv.exe
1996 2916231465.exe
1928 250285512.exe
Loads dropped DLL 4 IoCs

Processes:

08148dca51b3f5ed007267d13f4f0f3f.exesysagrsv.exe

pid process

1676 08148dca51b3f5ed007267d13f4f0f3f.exe
1676 08148dca51b3f5ed007267d13f4f0f3f.exe
1752 sysagrsv.exe
1752 sysagrsv.exe

pid	process
2016	1536526456.exe
1752	sysagrsv.exe
1996	2916231465.exe
1928	250285512.exe

pid	process
1676	08148dca51b3f5ed007267d13f4f0f3f.exe
1676	08148dca51b3f5ed007267d13f4f0f3f.exe
1752	sysagrsv.exe
1752	sysagrsv.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1536526456.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	1536526456.exe

Drops file in Windows directory 2 IoCs

Processes:

1536526456.exe

description ioc process

File created C:\Windows\sysagrsv.exe 1536526456.exe
File opened for modification C:\Windows\sysagrsv.exe 1536526456.exe

description	ioc	process
File created	C:\Windows\sysagrsv.exe	1536526456.exe
File opened for modification	C:\Windows\sysagrsv.exe	1536526456.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

08148dca51b3f5ed007267d13f4f0f3f.exe1536526456.exesysagrsv.exe

description	pid	process	target process
PID 1676 wrote to memory of 2016	1676	08148dca51b3f5ed007267d13f4f0f3f.exe	1536526456.exe
PID 1676 wrote to memory of 2016	1676	08148dca51b3f5ed007267d13f4f0f3f.exe	1536526456.exe
PID 1676 wrote to memory of 2016	1676	08148dca51b3f5ed007267d13f4f0f3f.exe	1536526456.exe
PID 1676 wrote to memory of 2016	1676	08148dca51b3f5ed007267d13f4f0f3f.exe	1536526456.exe
PID 2016 wrote to memory of 1752	2016	1536526456.exe	sysagrsv.exe
PID 2016 wrote to memory of 1752	2016	1536526456.exe	sysagrsv.exe
PID 2016 wrote to memory of 1752	2016	1536526456.exe	sysagrsv.exe
PID 2016 wrote to memory of 1752	2016	1536526456.exe	sysagrsv.exe
PID 1752 wrote to memory of 1996	1752	sysagrsv.exe	2916231465.exe
PID 1752 wrote to memory of 1996	1752	sysagrsv.exe	2916231465.exe
PID 1752 wrote to memory of 1996	1752	sysagrsv.exe	2916231465.exe
PID 1752 wrote to memory of 1996	1752	sysagrsv.exe	2916231465.exe
PID 1752 wrote to memory of 1928	1752	sysagrsv.exe	250285512.exe
PID 1752 wrote to memory of 1928	1752	sysagrsv.exe	250285512.exe
PID 1752 wrote to memory of 1928	1752	sysagrsv.exe	250285512.exe
PID 1752 wrote to memory of 1928	1752	sysagrsv.exe	250285512.exe

C:\Users\Admin\AppData\Local\Temp\08148dca51b3f5ed007267d13f4f0f3f.exe
"C:\Users\Admin\AppData\Local\Temp\08148dca51b3f5ed007267d13f4f0f3f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\1536526456.exe
C:\Users\Admin\AppData\Local\Temp\1536526456.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\2916231465.exe
C:\Users\Admin\AppData\Local\Temp\2916231465.exe
4⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\250285512.exe
C:\Users\Admin\AppData\Local\Temp\250285512.exe
4⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1536526456.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Users\Admin\AppData\Local\Temp\1536526456.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Users\Admin\AppData\Local\Temp\250285512.exe
Filesize
6KB

MD5
193377d2d76a2da52c4935780e780ed8

SHA1
6d42df6ea3b97a2a41805a3a1e8f0a786bcd88c7

SHA256
9e6525d7e908ca4da3408723eb5c9870b04fed13f45de44566d6992e8909bb06

SHA512
c32c5f35e9b1e4967c5e6f2311457195cdde6013a9f67155b55b322134472cee803fd5099fd2bf8ca9c03e0d8287ca7b9ff9b4c8290464ab943ef18ac375536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2916231465.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
\Users\Admin\AppData\Local\Temp\1536526456.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
\Users\Admin\AppData\Local\Temp\1536526456.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
\Users\Admin\AppData\Local\Temp\250285512.exe
Filesize
6KB

MD5
193377d2d76a2da52c4935780e780ed8

SHA1
6d42df6ea3b97a2a41805a3a1e8f0a786bcd88c7

SHA256
9e6525d7e908ca4da3408723eb5c9870b04fed13f45de44566d6992e8909bb06

SHA512
c32c5f35e9b1e4967c5e6f2311457195cdde6013a9f67155b55b322134472cee803fd5099fd2bf8ca9c03e0d8287ca7b9ff9b4c8290464ab943ef18ac375536d

Download Submit
\Users\Admin\AppData\Local\Temp\2916231465.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
memory/1676-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1752-61-0x0000000000000000-mapping.dmp

Download
memory/1928-70-0x0000000000000000-mapping.dmp

Download
memory/1996-66-0x0000000000000000-mapping.dmp

Download
memory/2016-57-0x0000000000000000-mapping.dmp

Download