phorphiex | 80a2f5e6f0d6e2577808ccd5b850ddb8703573422fe72539c344bcc16f82e4df

General

Target

syscceb.exe
Size

480KB
MD5

34e58603627f492a9602130f25025f96
SHA1

ded14cfd26427f6d57721560f90fbbd288a98551
SHA256

80a2f5e6f0d6e2577808ccd5b850ddb8703573422fe72539c344bcc16f82e4df
SHA512

b0938c35699021b67d4f44acca6417c0fe4404aa8e190689d080ecb7381825053d7e5151cc1c7575e5cc3cc27207545ed2a6c5a325bfa1d377aad468e3dd28fe
SSDEEP

12288:ziTWzHoGfF4MRqtg681Xb7nEyOX6JryOAxAa:zvfF4K7D53nyX6S5

Score

10^/10

phorphiex discovery evasion loader trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

http://urusurofhsorhfuuhk.su/

http://aeifaeifhutuhuhusk.su/

http://rzhsudhugugfugugsk.su/

http://bfagzzezgaegzgfaik.su/

http://eaeuafhuaegfugeudk.su/

http://aeufuaehfiuehfuhfk.su/

http://daedagheauehfuuhfk.su/

http://aeoughaoheguaoehdk.su/

http://eguaheoghouughahsk.su/

http://huaeokaefoaeguaehk.su/

http://afaeigaifgsgrhhafk.su/

http://afaigaeigieufuifik.su/

http://geauhouefheuutiiik.su/

http://gaoheeuofhefefhutk.su/

http://gaouehaehfoaeajrsk.su/

http://gaohrhurhuhruhfsdk.su/

http://gaghpaheiafhjefijk.su/

http://gaoehuoaoefhuhfugk.su/

http://aegohaohuoruitiiek.su/

Wallets

13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa

qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99

XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE

DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc

0x373b9854c9e4511b920372f5495640cdc25d6832

LSermtCTLWeS683x17AtYuhNT8MpMmVmi8

t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

syscceb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	syscceb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	syscceb.exe

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2108-2-0x0000000002240000-0x000000000224E000-memory.dmp	family_phorphiex
behavioral2/memory/2108-4-0x0000000002240000-0x000000000224E000-memory.dmp	family_phorphiex
behavioral2/memory/2108-6-0x0000000002240000-0x000000000224E000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syscceb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syscceb.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syscceb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syscceb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

syscceb.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language syscceb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syscceb.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

syscceb.exe

pid	process
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe
2108	syscceb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syscceb.exe

description pid process

Token: SeDebugPrivilege 2108 syscceb.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

syscceb.exe

pid process

2108 syscceb.exe
2108 syscceb.exe

description	pid	process
Token: SeDebugPrivilege	2108	syscceb.exe

C:\Users\Admin\AppData\Local\Temp\syscceb.exe
"C:\Users\Admin\AppData\Local\Temp\syscceb.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2108-1-0x0000000000451000-0x0000000000459000-memory.dmp

Filesize
32KB

Download
memory/2108-2-0x0000000002240000-0x000000000224E000-memory.dmp

Filesize
56KB

Download
memory/2108-5-0x0000000000451000-0x0000000000459000-memory.dmp

Filesize
32KB

Download
memory/2108-4-0x0000000002240000-0x000000000224E000-memory.dmp

Filesize
56KB

Download
memory/2108-6-0x0000000002240000-0x000000000224E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads