phorphiex | 00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b | Triage

Resubmissions

17-04-2024 12:41

240417-pwvknsfd74 10

17-04-2024 12:41

240417-pwt9xafd72 10

17-04-2024 12:41

240417-pwtndafd68 10

17-04-2024 12:40

240417-pwlb1aha2w 10

17-04-2024 12:40

240417-pwkqgaha2t 10

16-04-2024 13:48

240416-q36f7abe74 10

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17-04-2024 12:41

Sharing

Report Analysis Logs

General

Target

00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe
Size

100KB
MD5

1fe26231c66ad0b21e804a897e07f6ee
SHA1

7e5cc26fbf11c4e65291617722145be1e6872aed
SHA256

00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b
SHA512

35aa41be52995c97c25fe29efe6d9cad526368910bfbe99cf73a94917e7f65a2982f041f126a7f4433ab04770cd7bf8d45924d77aa99ac36e43adae30a9056a0
SSDEEP

3072:UlmICQuNwVOv/8I6WruEPJZDUXA2M1CUci6sUJW51TrFS83FoO:WmICRmgMtWruEhZDCA2M1CUci6sUJW5n

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\2032899284316\lsass.exe	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

1732 lsass.exe

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2032899284316\\lsass.exe"	00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2032899284316\\lsass.exe"	00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe

description	pid	process	target process
PID 488 wrote to memory of 1732	488	00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe	lsass.exe
PID 488 wrote to memory of 1732	488	00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe	lsass.exe
PID 488 wrote to memory of 1732	488	00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe
"C:\Users\Admin\AppData\Local\Temp\00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:488

C:\2032899284316\lsass.exe
C:\2032899284316\lsass.exe
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2032899284316\lsass.exe
Filesize
100KB

MD5
1fe26231c66ad0b21e804a897e07f6ee

SHA1
7e5cc26fbf11c4e65291617722145be1e6872aed

SHA256
00475e1ce0883ac76f08f6f2387496c8298902a34fa0631f3f45f38c48e3713b

SHA512
35aa41be52995c97c25fe29efe6d9cad526368910bfbe99cf73a94917e7f65a2982f041f126a7f4433ab04770cd7bf8d45924d77aa99ac36e43adae30a9056a0

Download Submit