phorphiex | 721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697

General

Target

721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe
Size

37KB
MD5

2e46a434392830b26d972171ff401fef
SHA1

242c68e650d6df34e39dc6ecf0e94620f663ecdf
SHA256

721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697
SHA512

878e5d7c32e320d0ade876de6ee13bc6df799476097d983ae72356f227b81bdd6a82909c3997645069ff6f9a0f9f0c5884699aceacd9c7bf2744d2d466bd4f7e
SSDEEP

768:H6Dx41k4HelZgEgcyNyXIhquBJ3+seFelZV:f1LHelXJIy4Y+eFCV

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.93/

http://gimmefile.top/

http://feedmefile.top/

http://gotsomefile.top/

http://thaus.ws/

http://thaus.top/

Wallets

15DBeUGFSQLbpYvWLJwzHUXSRrHNU9uQuS8c2wvFLZ7Nxz3N

1E5ZxnNUbbGQarWjMA7tCwp3Btm38GvRkv

3AcMV5pSUcxMmmcMbfSkJXRKbCrF3ysUDJ

bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr

XkcKjKZqNUkChwJXMj5uDjDns6etXvakir

D7MYki8urW3xq8sZJ8Q2v2ZrHxjzp7ACvb

0x76e4CB2fcf7f931Fd750e93F443536Ee068d1cdE

LfYFvpk2hccXw12tN3BBMWh7EcUBMbKoTG

rUQFcff9R1eKAwTtR1wbuQxmcoB236mz44

TEUaG7jyXdyrDS3JeEg1w1hotmmEMjx4TB

t1gTRxsrEXwky32j22jgFRZAafBzmCV2M2V

AT5Vm3ZrUg98s9kBue2g9YjnwK4kFKhQw3

bitcoincash:qqucl3fev20z4upudppa8p5hd6j3zzgyfuwae00pfr

44L2q3sPJ3DMJZiuSpHvehHMLbMXx3SAoVbLm5DWDw1A7PhUvcCPAGg5qAN98DWAUG7CuD4WmydP4JkewTz2aeVd4qhS822

GBLUYL3QTKP3NXVWCYNZ7ZH4CWFT6PVCXEYCNUNSHM34WKG2UL5EDQMV

bnb154sx9pdh8er33ujxlpfk3zwvlfp9rd5rskvvgc

bc1qn4r93am7rxxr4a5dwydhwx0p2kd4xfd7mz42f3

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

Signatures

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\181421887810834\conhost.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	conhost.exe

Executes dropped EXE 1 IoCs

Processes:

conhost.exe

pid process

2976 conhost.exe
Loads dropped DLL 1 IoCs

Processes:

721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

pid process

624 721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

pid	process
2976	conhost.exe

pid	process
624	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\181421887810834\\conhost.exe"	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\181421887810834\\conhost.exe"	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe

description	pid	process	target process
PID 624 wrote to memory of 2976	624	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe	conhost.exe
PID 624 wrote to memory of 2976	624	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe	conhost.exe
PID 624 wrote to memory of 2976	624	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe	conhost.exe
PID 624 wrote to memory of 2976	624	721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe
"C:\Users\Admin\AppData\Local\Temp\721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624
- C:\181421887810834\conhost.exe
  C:\181421887810834\conhost.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\181421887810834\conhost.exe

Filesize
37KB

MD5
2e46a434392830b26d972171ff401fef

SHA1
242c68e650d6df34e39dc6ecf0e94620f663ecdf

SHA256
721cf6bc50c06dc671136c1e82b6dc27c9c18e6f84149212c22877e78cf6d697

SHA512
878e5d7c32e320d0ade876de6ee13bc6df799476097d983ae72356f227b81bdd6a82909c3997645069ff6f9a0f9f0c5884699aceacd9c7bf2744d2d466bd4f7e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads