phorphiex | 701f8e268aa14d487e3fa1f92e41d89c38f3245c8246e66c2cdd5114367e295d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe
Size

112KB
MD5

2d5e7babf1b2d92b56fda0b9044f889a
SHA1

d2f1f6a1e267172fc183a0d1a2affdd26145f59d
SHA256

8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c
SHA512

68167664fc5e957b9aee18713ddf975823a73713d6c2fe31f532dcb53bee280a7fbfda68961a514d049558c602d74e91b24995fc1153e3f376cea5ebc7f93688
SSDEEP

3072:8q7DiX2FNAVWllSP8QLZwgtTIFFjB/0SA:N7DiQWTlZw3FjJA

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\10310411719367\lsass.exe	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

3212 lsass.exe

pid	process
3212	lsass.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\10310411719367\\lsass.exe"	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\10310411719367\\lsass.exe"	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe

description	pid	process	target process
PID 2264 wrote to memory of 3212	2264	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe	lsass.exe
PID 2264 wrote to memory of 3212	2264	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe	lsass.exe
PID 2264 wrote to memory of 3212	2264	8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe
"C:\Users\Admin\AppData\Local\Temp\8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\10310411719367\lsass.exe
  C:\10310411719367\lsass.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\10310411719367\lsass.exe

Filesize
112KB

MD5
2d5e7babf1b2d92b56fda0b9044f889a

SHA1
d2f1f6a1e267172fc183a0d1a2affdd26145f59d

SHA256
8cd916321f1c8a63bd9fafb52a478ac65b3e86a33966bbfce60f5e46ffee6b8c

SHA512
68167664fc5e957b9aee18713ddf975823a73713d6c2fe31f532dcb53bee280a7fbfda68961a514d049558c602d74e91b24995fc1153e3f376cea5ebc7f93688

Download Submit