phorphiex | 2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

General

Target

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Size

81KB
MD5

f4713c8ac5fc1e4919156157e7bece19
SHA1

7bd9e35b1d1210183bbb4fe1995895cbc1692c62
SHA256

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b
SHA512

ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f
SSDEEP

1536:mLzDqNFmav82qCqYoOrW5LpiP3sCPhX4W5AICHK:2HXOS7OeUkegRHK

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	287317308.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	287317308.exe

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

287317308.exe2054710818.exe2019425562.exe1825315960.exe719119298.exe

pid process

364 287317308.exe
3488 2054710818.exe
5004 2019425562.exe
2968 1825315960.exe
4304 719119298.exe

pid	process
364	287317308.exe
3488	2054710818.exe
5004	2019425562.exe
2968	1825315960.exe
4304	719119298.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	287317308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	287317308.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvpplvcr.exe"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvpplvcr.exe"	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrlvnxs.exe"	287317308.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrlvnxs.exe"	287317308.exe

Drops file in Windows directory 4 IoCs

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	ioc	process
File created	C:\Windows\sysvpplvcr.exe	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
File opened for modification	C:\Windows\sysvpplvcr.exe	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
File created	C:\Windows\systrlvnxs.exe	287317308.exe
File opened for modification	C:\Windows\systrlvnxs.exe	287317308.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

287317308.exe

pid process

364 287317308.exe

pid	process
364	287317308.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe287317308.exe

description	pid	process	target process
PID 4828 wrote to memory of 364	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	287317308.exe
PID 4828 wrote to memory of 364	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	287317308.exe
PID 4828 wrote to memory of 364	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	287317308.exe
PID 4828 wrote to memory of 3488	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	2054710818.exe
PID 4828 wrote to memory of 3488	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	2054710818.exe
PID 4828 wrote to memory of 3488	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	2054710818.exe
PID 364 wrote to memory of 5004	364	287317308.exe	2019425562.exe
PID 364 wrote to memory of 5004	364	287317308.exe	2019425562.exe
PID 364 wrote to memory of 5004	364	287317308.exe	2019425562.exe
PID 364 wrote to memory of 2968	364	287317308.exe	1825315960.exe
PID 364 wrote to memory of 2968	364	287317308.exe	1825315960.exe
PID 364 wrote to memory of 2968	364	287317308.exe	1825315960.exe
PID 4828 wrote to memory of 4304	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	719119298.exe
PID 4828 wrote to memory of 4304	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	719119298.exe
PID 4828 wrote to memory of 4304	4828	2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe	719119298.exe

C:\Users\Admin\AppData\Local\Temp\2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe
"C:\Users\Admin\AppData\Local\Temp\2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b.exe"
1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\287317308.exe
  C:\Users\Admin\AppData\Local\Temp\287317308.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\2019425562.exe
    C:\Users\Admin\AppData\Local\Temp\2019425562.exe
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\Users\Admin\AppData\Local\Temp\1825315960.exe
    C:\Users\Admin\AppData\Local\Temp\1825315960.exe
    3⤵
    - Executes dropped EXE
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\2054710818.exe
  C:\Users\Admin\AppData\Local\Temp\2054710818.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\719119298.exe
  C:\Users\Admin\AppData\Local\Temp\719119298.exe
  2⤵
  - Executes dropped EXE
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3A2IAT6Y\1[1]

Filesize
78KB

MD5
c406c613d1c3896a8eb7469041b26354

SHA1
ec82902ebdd4f2c2e854dc3b805249f52144ca67

SHA256
9b532720fcb754ad2e3e74f734079cc5d4fec7ddffddc55b042db05de6faddbb

SHA512
564e08b9d054a83f385cbb60627374fd0b2c402780f721121b6b0da9aba938a9f6e9041d4fce0c91304f6c7cd228b0575a87fc26601bf84330b67b07858a3d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HUO74Z1G\3[1]

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SRNQY8PA\2[1]

Filesize
8KB

MD5
145fc3dbf778aa2ba80af3d74eabfad6

SHA1
13dfeadb4b38c461f8b9d25853c0cae5d9a65f7c

SHA256
5ab3bcaff0514c89388ea4958197ab0ff5bcc5999e1b95d830bc72da94bd4200

SHA512
9bd7d50d489c4fc57ee1a0d3ad3cd2d29ca20f8ad1e46668a36d7ecced42db03a6980b039a2aeb7a1e1761aef89d994d73a497043ba744678290a8a9772a6306

Download Submit
C:\Users\Admin\AppData\Local\Temp\2054710818.exe

Filesize
8KB

MD5
c34a248f132e739652407b0aa8c978cd

SHA1
f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee

SHA256
4c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578

SHA512
f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703

Download Submit
C:\Users\Admin\AppData\Local\Temp\287317308.exe

Filesize
78KB

MD5
efc57ed49a29d9c43f780ac57d9383ea

SHA1
6feb772dab15a7004cccefd6e77aa47cafbb89ed

SHA256
12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749

SHA512
37f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\719119298.exe

Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
1818d28d71ac448b6ad0b8fb94bedb04

SHA1
d9a6d188cb1ad86604b2591efabcab1f1314b9a7

SHA256
59170e9d43e12cdc6d4418eb6a75625b1afe92917707af0359aab3048aba9d81

SHA512
e431c9c8403e7d431efea5a426f85cf246ba3f14bffb921fe2af81c5f30eb836011bc3abb37df7276e3486c1cc1116908e7b7a402e42f846ee1e59f994e987b7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads