phorphiex | 2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

General

Target

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Size

81KB
MD5

f4713c8ac5fc1e4919156157e7bece19
SHA1

7bd9e35b1d1210183bbb4fe1995895cbc1692c62
SHA256

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b
SHA512

ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f
SSDEEP

1536:mLzDqNFmav82qCqYoOrW5LpiP3sCPhX4W5AICHK:2HXOS7OeUkegRHK

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

198889786.exe2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

198889786.exe2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	198889786.exe

Executes dropped EXE 4 IoCs

Processes:

198889786.exe124534977.exe239719698.exe254710057.exe

pid process

2528 198889786.exe
1956 124534977.exe
556 239719698.exe
1060 254710057.exe

pid	process
2528	198889786.exe
1956	124534977.exe
556	239719698.exe
1060	254710057.exe

Loads dropped DLL 6 IoCs

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe198889786.exe

pid	process
996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
2528	198889786.exe
2528	198889786.exe
2528	198889786.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe198889786.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	198889786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	198889786.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

198889786.exe2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrlvnxs.exe"	198889786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvpplvcr.exe"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvpplvcr.exe"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrlvnxs.exe"	198889786.exe

Drops file in Windows directory 4 IoCs

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe198889786.exe

description	ioc	process
File created	C:\Windows\sysvpplvcr.exe	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
File opened for modification	C:\Windows\sysvpplvcr.exe	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
File created	C:\Windows\systrlvnxs.exe	198889786.exe
File opened for modification	C:\Windows\systrlvnxs.exe	198889786.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

198889786.exe

pid process

2528 198889786.exe

pid	process
2528	198889786.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe198889786.exe

description	pid	process	target process
PID 996 wrote to memory of 2528	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	198889786.exe
PID 996 wrote to memory of 2528	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	198889786.exe
PID 996 wrote to memory of 2528	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	198889786.exe
PID 996 wrote to memory of 2528	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	198889786.exe
PID 996 wrote to memory of 1956	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	124534977.exe
PID 996 wrote to memory of 1956	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	124534977.exe
PID 996 wrote to memory of 1956	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	124534977.exe
PID 996 wrote to memory of 1956	996	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	124534977.exe
PID 2528 wrote to memory of 556	2528	198889786.exe	239719698.exe
PID 2528 wrote to memory of 556	2528	198889786.exe	239719698.exe
PID 2528 wrote to memory of 556	2528	198889786.exe	239719698.exe
PID 2528 wrote to memory of 556	2528	198889786.exe	239719698.exe
PID 2528 wrote to memory of 1060	2528	198889786.exe	254710057.exe
PID 2528 wrote to memory of 1060	2528	198889786.exe	254710057.exe
PID 2528 wrote to memory of 1060	2528	198889786.exe	254710057.exe
PID 2528 wrote to memory of 1060	2528	198889786.exe	254710057.exe

C:\Users\Admin\AppData\Local\Temp\2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
"C:\Users\Admin\AppData\Local\Temp\2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe"
1⤵
- Modifies security service
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\198889786.exe
  C:\Users\Admin\AppData\Local\Temp\198889786.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\239719698.exe
    C:\Users\Admin\AppData\Local\Temp\239719698.exe
    3⤵
    - Executes dropped EXE
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\254710057.exe
    C:\Users\Admin\AppData\Local\Temp\254710057.exe
    3⤵
    - Executes dropped EXE
    PID:1060
- C:\Users\Admin\AppData\Local\Temp\124534977.exe
  C:\Users\Admin\AppData\Local\Temp\124534977.exe
  2⤵
  - Executes dropped EXE
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\2[1]

Filesize
8KB

MD5
145fc3dbf778aa2ba80af3d74eabfad6

SHA1
13dfeadb4b38c461f8b9d25853c0cae5d9a65f7c

SHA256
5ab3bcaff0514c89388ea4958197ab0ff5bcc5999e1b95d830bc72da94bd4200

SHA512
9bd7d50d489c4fc57ee1a0d3ad3cd2d29ca20f8ad1e46668a36d7ecced42db03a6980b039a2aeb7a1e1761aef89d994d73a497043ba744678290a8a9772a6306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\1[1]

Filesize
78KB

MD5
c406c613d1c3896a8eb7469041b26354

SHA1
ec82902ebdd4f2c2e854dc3b805249f52144ca67

SHA256
9b532720fcb754ad2e3e74f734079cc5d4fec7ddffddc55b042db05de6faddbb

SHA512
564e08b9d054a83f385cbb60627374fd0b2c402780f721121b6b0da9aba938a9f6e9041d4fce0c91304f6c7cd228b0575a87fc26601bf84330b67b07858a3d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\3[1]

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b1bfefcf82c453982a648f51d7f6d138

SHA1
4f7596391d8e871ff5e706229e2605d9b9e19e22

SHA256
38f0573f34d3ac63169291649936bfc21b6cfc6d53ece20f84e0ecf6876b337f

SHA512
d726141a2faade63d979b78fdf4bca240523707e4157fe3fdeae9288b2dc1c08ceb2f45deabb4505ac3cd324794d55a7bc5a4a017b86ac9a7d53d0eeb20bded7

Download Submit
\Users\Admin\AppData\Local\Temp\124534977.exe

Filesize
8KB

MD5
c34a248f132e739652407b0aa8c978cd

SHA1
f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee

SHA256
4c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578

SHA512
f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703

Download Submit
\Users\Admin\AppData\Local\Temp\198889786.exe

Filesize
78KB

MD5
efc57ed49a29d9c43f780ac57d9383ea

SHA1
6feb772dab15a7004cccefd6e77aa47cafbb89ed

SHA256
12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749

SHA512
37f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads