phorphiex | 0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe
Size

28KB
MD5

adb54611fc170de9e86d31181e567db4
SHA1

a0a7a7cff0904b406c4304a3f0e4d1436abf6a5c
SHA256

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb
SHA512

0ed78e809d51ef88211f275021cbba1e843cba4a22354d4cd95d5b373e3d064eddafcf1b1239acb7064e311736ba67c1eae9800e2120d0764a7a659bd9b1e0f8
SSDEEP

384:j5RIDVmZ6zWTmydlSAw5dTxJjWOav8U9c2yweeeeeeeeWeeeee9MMp8pIP:DYijIAWdr9a0UFTeeeeeeeeWeeeee7P

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

3334622450.exe867831972.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	867831972.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3334622450.exe867831972.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3334622450.exe

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

7280.exe867831972.exe145814807.exe1567228940.exe3334622450.exe1225329786.exe1043821001.exe600812264.exe

pid process

5096 7280.exe
1816 867831972.exe
2876 145814807.exe
4664 1567228940.exe
4856 3334622450.exe
1040 1225329786.exe
856 1043821001.exe
3864 600812264.exe

pid	process
5096	7280.exe
1816	867831972.exe
2876	145814807.exe
4664	1567228940.exe
4856	3334622450.exe
1040	1225329786.exe
856	1043821001.exe
3864	600812264.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

867831972.exe3334622450.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	867831972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3334622450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3334622450.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3334622450.exe867831972.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrvltns.exe"	3334622450.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrvltns.exe"	3334622450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrlvnxs.exe"	867831972.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrlvnxs.exe"	867831972.exe

Drops file in Windows directory 4 IoCs

Processes:

867831972.exe3334622450.exe

description	ioc	process
File opened for modification	C:\Windows\systrlvnxs.exe	867831972.exe
File created	C:\Windows\systrvltns.exe	3334622450.exe
File opened for modification	C:\Windows\systrvltns.exe	3334622450.exe
File created	C:\Windows\systrlvnxs.exe	867831972.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

3334622450.exe

pid process

4856 3334622450.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 3420 svchost.exe

pid	process
4856	3334622450.exe

description	pid	process
Token: SeManageVolumePrivilege	3420	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe7280.exe867831972.exe3334622450.exe

description	pid	process	target process
PID 372 wrote to memory of 5096	372	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	7280.exe
PID 372 wrote to memory of 5096	372	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	7280.exe
PID 372 wrote to memory of 5096	372	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	7280.exe
PID 5096 wrote to memory of 1816	5096	7280.exe	867831972.exe
PID 5096 wrote to memory of 1816	5096	7280.exe	867831972.exe
PID 5096 wrote to memory of 1816	5096	7280.exe	867831972.exe
PID 1816 wrote to memory of 2876	1816	867831972.exe	145814807.exe
PID 1816 wrote to memory of 2876	1816	867831972.exe	145814807.exe
PID 1816 wrote to memory of 2876	1816	867831972.exe	145814807.exe
PID 1816 wrote to memory of 4664	1816	867831972.exe	1567228940.exe
PID 1816 wrote to memory of 4664	1816	867831972.exe	1567228940.exe
PID 1816 wrote to memory of 4664	1816	867831972.exe	1567228940.exe
PID 1816 wrote to memory of 4856	1816	867831972.exe	3334622450.exe
PID 1816 wrote to memory of 4856	1816	867831972.exe	3334622450.exe
PID 1816 wrote to memory of 4856	1816	867831972.exe	3334622450.exe
PID 4856 wrote to memory of 1040	4856	3334622450.exe	1225329786.exe
PID 4856 wrote to memory of 1040	4856	3334622450.exe	1225329786.exe
PID 4856 wrote to memory of 1040	4856	3334622450.exe	1225329786.exe
PID 4856 wrote to memory of 856	4856	3334622450.exe	1043821001.exe
PID 4856 wrote to memory of 856	4856	3334622450.exe	1043821001.exe
PID 4856 wrote to memory of 856	4856	3334622450.exe	1043821001.exe
PID 4856 wrote to memory of 3864	4856	3334622450.exe	600812264.exe
PID 4856 wrote to memory of 3864	4856	3334622450.exe	600812264.exe
PID 4856 wrote to memory of 3864	4856	3334622450.exe	600812264.exe

C:\Users\Admin\AppData\Local\Temp\0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe
"C:\Users\Admin\AppData\Local\Temp\0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\7280.exe
"C:\Users\Admin\AppData\Local\Temp\7280.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\867831972.exe
C:\Users\Admin\AppData\Local\Temp\867831972.exe
3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\145814807.exe
C:\Users\Admin\AppData\Local\Temp\145814807.exe
4⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Local\Temp\1567228940.exe
C:\Users\Admin\AppData\Local\Temp\1567228940.exe
4⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Local\Temp\3334622450.exe
C:\Users\Admin\AppData\Local\Temp\3334622450.exe
4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\1225329786.exe
C:\Users\Admin\AppData\Local\Temp\1225329786.exe
5⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\AppData\Local\Temp\1043821001.exe
C:\Users\Admin\AppData\Local\Temp\1043821001.exe
5⤵
- Executes dropped EXE
PID:856

C:\Users\Admin\AppData\Local\Temp\600812264.exe
C:\Users\Admin\AppData\Local\Temp\600812264.exe
5⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1043821001.exe
Filesize
9KB

MD5
5e1fff14a939e4196be610a6531f398e

SHA1
e907badcbcc558476a84b8df1d8fdcc0a0e15a78

SHA256
2b09602b9bcaa69b1e4b030a1e9e807cc605f43b090a7ffac5999ec95e1e5ec4

SHA512
0b48fc71b2b363bec1ec309f83e1a170942c7bf0809b804976c9af8cc4d804a00369626453e19b04931a0bd629de66718af06fc52f94cd89fa256f2dd9b3b19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1225329786.exe
Filesize
8KB

MD5
2f070b82ebdbdd85642878dae67d9aff

SHA1
7ca4699de2f315d6637a42a8ad7cbeec76736584

SHA256
3f805c0097a0dbfc875ab0a16180d39bdc49de849687bc2906b15c2a0fefe2ab

SHA512
7a2e1babca20b28c82559104781a7c72db55cfa0ef52d2c1a76e9123ce9d000f140ef0959b4add53c342cb40b743bb013f69f5a0e9dc321a71835b8a9dd7a808

Download Submit
C:\Users\Admin\AppData\Local\Temp\145814807.exe
Filesize
8KB

MD5
da835ecda7aa46d4740d10b378f8fc6c

SHA1
7cc67054686a6398f68a497e9146bead5f7470c4

SHA256
43bbf7187417f542305f1fad3f71976adb1b8b14c32ac87fda4c92a4734e0595

SHA512
5851f60985f8b364d73570e27efadf6c0cc8c13734c24191a753da988c8ee44a4e46da32c1796ff4c5b3b8f314c54164da00f0d120ba469bfcf76b6d27db8407

Download Submit
C:\Users\Admin\AppData\Local\Temp\1567228940.exe
Filesize
9KB

MD5
0941af53968d11cd002f1844334f90bb

SHA1
d14e793ace957196184cb1532630c19f45a18738

SHA256
1330ad31cbee38ba83e8b4ffcdd8ac941b942c4abd2a5b8cd14c1778979e59c7

SHA512
8d1f2426442d17f915bd6dcac803442c390ff15e670fb6d1c50425be75383f1146680f9495a0e7ee84caf2f73989b89f20ff5d99e017be870edf5e13eea9db23

Download Submit
C:\Users\Admin\AppData\Local\Temp\3334622450.exe
Filesize
89KB

MD5
a1151afcffa047deb643bb06b11ceacc

SHA1
537abe3abcfd2f2fc49ef1f61c0dba9ed36a1601

SHA256
cf9e35157404a4c1d64395076d7f76471b3738d86b09a26b39d7d97e40c03b90

SHA512
edeef562c3803a47d59ed19c8c72a22f25a18d3c6e98c202a376d152dc7d8a00bffcc1f64c3d3bb9284f409982bcb009463287e053bb7e95314d45f53ee782a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\600812264.exe
Filesize
89KB

MD5
908fe6989c453bc62faf18cdbdbc23d2

SHA1
b89a6770ef60173c7755775cde2749101f375d65

SHA256
d17bd74adb0124d1bf3c15fa565f542133876839c0d5c963817890fc1e1b177e

SHA512
b3d8a2daf2a3b5f3cb7cc76bdbd67a219633135c3100505cc18b967293abf0bf39243c482607d4ef923f05eeb6ed28f97442bf5f10f083baa1bce7783e395be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\69324246.exe
Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7280.exe
Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\867831972.exe
Filesize
78KB

MD5
efc57ed49a29d9c43f780ac57d9383ea

SHA1
6feb772dab15a7004cccefd6e77aa47cafbb89ed

SHA256
12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749

SHA512
37f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
memory/3420-77-0x000001B3E6F90000-0x000001B3E6FA0000-memory.dmp

Filesize
64KB

Download
memory/3420-93-0x000001B3E7090000-0x000001B3E70A0000-memory.dmp

Filesize
64KB

Download
memory/3420-109-0x000001B3EF400000-0x000001B3EF401000-memory.dmp

Filesize
4KB

Download
memory/3420-111-0x000001B3EF430000-0x000001B3EF431000-memory.dmp

Filesize
4KB

Download
memory/3420-112-0x000001B3EF430000-0x000001B3EF431000-memory.dmp

Filesize
4KB

Download
memory/3420-113-0x000001B3EF540000-0x000001B3EF541000-memory.dmp

Filesize
4KB

Download