phorphiex | a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe
Size

11KB
MD5

a86bbe655021fd2f6263011c02a0070d
SHA1

597fb8aafd9d1d0ab221c6d8291246f43c9ade7e
SHA256

a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908
SHA512

93684ebfe4f44a12b6c7f3b41ff05e6a65eec6d8c09418fe51334cb28f9d71f17577f95912b937754896823e4a16b3668e5c04729a82f5c6081a7fc4bdb654ff
SSDEEP

96:S5fKGbUuMszosDmzzGNaU9UGkQaHzVI3b+VIZPtboynuYUi82Ct4Le:4ZX1FYG+jiTZP1oynfUi8xSe

Score

10^/10

phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
5028	3110211529.exe
1584	sysagrsv.exe
1904	76916814.exe
3604	3312330696.exe
4140	1784122981.exe
4668	Windows Security Upgrade Service.exe
4612	Windows Security Upgrade Service.exe
1040	Windows Security Upgrade Service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	3110211529.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysagrsv.exe	3110211529.exe
File created	C:\Windows\sysagrsv.exe	3110211529.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 5028	3672	a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe	79
PID 3672 wrote to memory of 5028	3672	a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe	79
PID 3672 wrote to memory of 5028	3672	a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe	79
PID 5028 wrote to memory of 1584	5028	3110211529.exe	80
PID 5028 wrote to memory of 1584	5028	3110211529.exe	80
PID 5028 wrote to memory of 1584	5028	3110211529.exe	80
PID 1584 wrote to memory of 1904	1584	sysagrsv.exe	81
PID 1584 wrote to memory of 1904	1584	sysagrsv.exe	81
PID 1584 wrote to memory of 1904	1584	sysagrsv.exe	81
PID 1584 wrote to memory of 3604	1584	sysagrsv.exe	84
PID 1584 wrote to memory of 3604	1584	sysagrsv.exe	84
PID 1584 wrote to memory of 3604	1584	sysagrsv.exe	84
PID 1584 wrote to memory of 4140	1584	sysagrsv.exe	89
PID 1584 wrote to memory of 4140	1584	sysagrsv.exe	89
PID 1584 wrote to memory of 4140	1584	sysagrsv.exe	89
PID 4140 wrote to memory of 4668	4140	1784122981.exe	92
PID 4140 wrote to memory of 4668	4140	1784122981.exe	92
PID 4140 wrote to memory of 4668	4140	1784122981.exe	92
PID 4140 wrote to memory of 4612	4140	1784122981.exe	93
PID 4140 wrote to memory of 4612	4140	1784122981.exe	93
PID 4140 wrote to memory of 4612	4140	1784122981.exe	93
PID 4140 wrote to memory of 1040	4140	1784122981.exe	94
PID 4140 wrote to memory of 1040	4140	1784122981.exe	94
PID 4140 wrote to memory of 1040	4140	1784122981.exe	94

C:\Users\Admin\AppData\Local\Temp\a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe
"C:\Users\Admin\AppData\Local\Temp\a1650255f850fabb19b9b75865cef9bd45d89a48390f585f3587da14b7484908.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\3110211529.exe
  C:\Users\Admin\AppData\Local\Temp\3110211529.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\sysagrsv.exe
    C:\Windows\sysagrsv.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\76916814.exe
      C:\Users\Admin\AppData\Local\Temp\76916814.exe
      4⤵
      Executes dropped EXE
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\3312330696.exe
      C:\Users\Admin\AppData\Local\Temp\3312330696.exe
      4⤵
      Executes dropped EXE
      PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\1784122981.exe
      C:\Users\Admin\AppData\Local\Temp\1784122981.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1784122981.exe

Filesize
6KB

MD5
2621a8c50b9f73e9a2d72224c3dac091

SHA1
32686d62b0263993ae65b62fedc5cb3bd7315e87

SHA256
6ae1ebf46676cb744ddc30ae46e6d454e0e1f585c2d567ac05478c20edc4247d

SHA512
e19f0a53e362205a175ff5f1194e6b8acf8625c3733c5d05c85212ce3290aaab9d3c319d4f71d45133e39db9cf682cb0c9e1145cd6349e2ce5c72088619591c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1784122981.exe

Filesize
6KB

MD5
2621a8c50b9f73e9a2d72224c3dac091

SHA1
32686d62b0263993ae65b62fedc5cb3bd7315e87

SHA256
6ae1ebf46676cb744ddc30ae46e6d454e0e1f585c2d567ac05478c20edc4247d

SHA512
e19f0a53e362205a175ff5f1194e6b8acf8625c3733c5d05c85212ce3290aaab9d3c319d4f71d45133e39db9cf682cb0c9e1145cd6349e2ce5c72088619591c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3110211529.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3110211529.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3312330696.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3312330696.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Local\Temp\76916814.exe

Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\76916814.exe

Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
16KB

MD5
19f9138f63339e4baa31f5088524f4d1

SHA1
6a4e4053cc21fc6691729f48993810b1e0158d22

SHA256
9dfff09e8395e8d195eaadf35bfb371eea2bf78d6842d7a26623c2824bb8826e

SHA512
e52a99bca9fda43e0c688aa89242ac44ae69d2b07996c285fd376e743863c6dfa43495d768e61f63f40f45eeb726b46c3fd9358c61ee7ea01e58bfa2458b861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
16KB

MD5
19f9138f63339e4baa31f5088524f4d1

SHA1
6a4e4053cc21fc6691729f48993810b1e0158d22

SHA256
9dfff09e8395e8d195eaadf35bfb371eea2bf78d6842d7a26623c2824bb8826e

SHA512
e52a99bca9fda43e0c688aa89242ac44ae69d2b07996c285fd376e743863c6dfa43495d768e61f63f40f45eeb726b46c3fd9358c61ee7ea01e58bfa2458b861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
16KB

MD5
19f9138f63339e4baa31f5088524f4d1

SHA1
6a4e4053cc21fc6691729f48993810b1e0158d22

SHA256
9dfff09e8395e8d195eaadf35bfb371eea2bf78d6842d7a26623c2824bb8826e

SHA512
e52a99bca9fda43e0c688aa89242ac44ae69d2b07996c285fd376e743863c6dfa43495d768e61f63f40f45eeb726b46c3fd9358c61ee7ea01e58bfa2458b861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
16KB

MD5
19f9138f63339e4baa31f5088524f4d1

SHA1
6a4e4053cc21fc6691729f48993810b1e0158d22

SHA256
9dfff09e8395e8d195eaadf35bfb371eea2bf78d6842d7a26623c2824bb8826e

SHA512
e52a99bca9fda43e0c688aa89242ac44ae69d2b07996c285fd376e743863c6dfa43495d768e61f63f40f45eeb726b46c3fd9358c61ee7ea01e58bfa2458b861d

Download Submit
C:\Windows\sysagrsv.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Windows\sysagrsv.exe

Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads