phorphiex | 8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a | Triage

Sharing

General

Target

8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a.exe
Size

86KB
Sample

241013-h54flsvcmg
MD5

21b61b3680c5e66f9f7b1f3026327757
SHA1

fad18744873c0f49daab677b53cea59f808c8097
SHA256

8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
SHA512

0a43a48f18fa86e72c23baa71bb77e85e9bf1ca107cf014fff2b2096b65d480f0d17c516954d472f25c541bb35f196f13534b135033e3f9a52465ea221b4e745
SSDEEP

192:MNUGDWCn+rYeumelDB2JkknJxTqth7ccccccccccccccccccccccccccccccccc:AU5C+rU9lDAJnuz

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Targets

- Target
  
  8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a.exe
- Size
  
  86KB
- MD5
  
  21b61b3680c5e66f9f7b1f3026327757
- SHA1
  
  fad18744873c0f49daab677b53cea59f808c8097
- SHA256
  
  8de13f64aab532c0bbd3d38cc821ba6fa67ccfadde9cffd14944cc9d85830f4a
- SHA512
  
  0a43a48f18fa86e72c23baa71bb77e85e9bf1ca107cf014fff2b2096b65d480f0d17c516954d472f25c541bb35f196f13534b135033e3f9a52465ea221b4e745
- SSDEEP
  
  192:MNUGDWCn+rYeumelDB2JkknJxTqth7ccccccccccccccccccccccccccccccccc:AU5C+rU9lDAJnuz
Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm

behavioral2

phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm