phorphiex | f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe
Size

534KB
MD5

0db1ba9cccb1979cd66f0c8f2e945f36
SHA1

880af0125f57e6f06e45bd618a118279c91333c4
SHA256

f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c
SHA512

1f15bb89f4b11db3df2fcf99e8660560cec3de8e4eed2c58a138c60a409baaac7da657b59955b3f2cbbec09edf5e1915f1dc2d26254d5cbc9a07d65a6ad51ce7
SSDEEP

6144:lAqvMo118G8LDNrlwPdDmRekgpNGfSzHB25w3jkYtGhLYuOVQhh3A94Uw1CClytm:lAqkoCtQO4Nai3jk/P3hK3on0GZVPB

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

DA68.exe1479912548.exesysagrsv.exe330682327.exe67898328.exe

pid process

1904 DA68.exe
1968 1479912548.exe
1036 sysagrsv.exe
1880 330682327.exe
1584 67898328.exe

pid	process
1904	DA68.exe
1968	1479912548.exe
1036	sysagrsv.exe
1880	330682327.exe
1584	67898328.exe

Loads dropped DLL 6 IoCs

Processes:

f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exeDA68.exesysagrsv.exe

pid	process
988	f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe
1904	DA68.exe
1904	DA68.exe
1036	sysagrsv.exe
1036	sysagrsv.exe
1036	sysagrsv.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1479912548.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	1479912548.exe

Drops file in Windows directory 2 IoCs

Processes:

1479912548.exe

description ioc process

File created C:\Windows\sysagrsv.exe 1479912548.exe
File opened for modification C:\Windows\sysagrsv.exe 1479912548.exe

description	ioc	process
File created	C:\Windows\sysagrsv.exe	1479912548.exe
File opened for modification	C:\Windows\sysagrsv.exe	1479912548.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exeDA68.exe1479912548.exesysagrsv.exe

description	pid	process	target process
PID 988 wrote to memory of 1904	988	f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe	DA68.exe
PID 988 wrote to memory of 1904	988	f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe	DA68.exe
PID 988 wrote to memory of 1904	988	f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe	DA68.exe
PID 988 wrote to memory of 1904	988	f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe	DA68.exe
PID 1904 wrote to memory of 1968	1904	DA68.exe	1479912548.exe
PID 1904 wrote to memory of 1968	1904	DA68.exe	1479912548.exe
PID 1904 wrote to memory of 1968	1904	DA68.exe	1479912548.exe
PID 1904 wrote to memory of 1968	1904	DA68.exe	1479912548.exe
PID 1968 wrote to memory of 1036	1968	1479912548.exe	sysagrsv.exe
PID 1968 wrote to memory of 1036	1968	1479912548.exe	sysagrsv.exe
PID 1968 wrote to memory of 1036	1968	1479912548.exe	sysagrsv.exe
PID 1968 wrote to memory of 1036	1968	1479912548.exe	sysagrsv.exe
PID 1036 wrote to memory of 1880	1036	sysagrsv.exe	330682327.exe
PID 1036 wrote to memory of 1880	1036	sysagrsv.exe	330682327.exe
PID 1036 wrote to memory of 1880	1036	sysagrsv.exe	330682327.exe
PID 1036 wrote to memory of 1880	1036	sysagrsv.exe	330682327.exe
PID 1036 wrote to memory of 1584	1036	sysagrsv.exe	67898328.exe
PID 1036 wrote to memory of 1584	1036	sysagrsv.exe	67898328.exe
PID 1036 wrote to memory of 1584	1036	sysagrsv.exe	67898328.exe
PID 1036 wrote to memory of 1584	1036	sysagrsv.exe	67898328.exe

C:\Users\Admin\AppData\Local\Temp\f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\f248b7fe4a7a0c4bc285131d106c72fc7cb081a7ef2c5d316fc35353b21a0d1c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\DA68.exe
"C:\Users\Admin\AppData\Local\Temp\DA68.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\1479912548.exe
C:\Users\Admin\AppData\Local\Temp\1479912548.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\330682327.exe
C:\Users\Admin\AppData\Local\Temp\330682327.exe
5⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\67898328.exe
C:\Users\Admin\AppData\Local\Temp\67898328.exe
5⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1479912548.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1479912548.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\330682327.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\67898328.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA68.exe
Filesize
6KB

MD5
3fade1189c46a975a19599f9bc8ce9b8

SHA1
d36f6d972624b6f8b7de5553f5bc89b43f554c1a

SHA256
959ed7f57b49523114b54616f2f5bdb40c78cd1fcf8f506d3bc3721e833cee03

SHA512
12bc72d5e93e762466f36cafcf026c28ea977a3e9eb5c8a1e79d63107f957d9399a6e0c21dec63db78ab8e0ba7f31108754ac335994e3d015516cff5de42fa01

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\1479912548.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\1479912548.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\330682327.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
\Users\Admin\AppData\Local\Temp\67898328.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\67898328.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\DA68.exe
Filesize
6KB

MD5
3fade1189c46a975a19599f9bc8ce9b8

SHA1
d36f6d972624b6f8b7de5553f5bc89b43f554c1a

SHA256
959ed7f57b49523114b54616f2f5bdb40c78cd1fcf8f506d3bc3721e833cee03

SHA512
12bc72d5e93e762466f36cafcf026c28ea977a3e9eb5c8a1e79d63107f957d9399a6e0c21dec63db78ab8e0ba7f31108754ac335994e3d015516cff5de42fa01

Download Submit
memory/988-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1036-65-0x0000000000000000-mapping.dmp

Download
memory/1584-75-0x0000000000000000-mapping.dmp

Download
memory/1880-70-0x0000000000000000-mapping.dmp

Download
memory/1904-56-0x0000000000000000-mapping.dmp

Download
memory/1968-61-0x0000000000000000-mapping.dmp

Download