Overview

overview

10

Static

static

3

ff2df00e78...0c.exe

windows7-x64

10

ff2df00e78...0c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff2df00e788749ba0f2ca8c29a35030c.exe

  • Size

    74KB

  • Sample

    241016-299mzaydrf

  • MD5

    ff2df00e788749ba0f2ca8c29a35030c

  • SHA1

    9638e9861cdd6a8b5e4aad28739ebd62ab12b6a1

  • SHA256

    8c8ef3881ab44057b4972c9112f73e334c664dace19295c5755f5a38ea6191d7

  • SHA512

    76e3323f797e557a72be2242961829f410c17be3b7d605075c0c05676d8a0fca6d108e47fb250219da010f0ad64c92f56d8db3b6f913b7c5000591434ec253db

  • SSDEEP

    192:H5w4ZVQffbuVBiRAljEEJxTqthTcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPx:H5w4ZV0G06uEuOm6S6666

Score
10/10
phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm

Malware Config

Targets

    • Target

      ff2df00e788749ba0f2ca8c29a35030c.exe

    • Size

      74KB

    • MD5

      ff2df00e788749ba0f2ca8c29a35030c

    • SHA1

      9638e9861cdd6a8b5e4aad28739ebd62ab12b6a1

    • SHA256

      8c8ef3881ab44057b4972c9112f73e334c664dace19295c5755f5a38ea6191d7

    • SHA512

      76e3323f797e557a72be2242961829f410c17be3b7d605075c0c05676d8a0fca6d108e47fb250219da010f0ad64c92f56d8db3b6f913b7c5000591434ec253db

    • SSDEEP

      192:H5w4ZVQffbuVBiRAljEEJxTqthTcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPx:H5w4ZV0G06uEuOm6S6666

    Score
    10/10
    phorphiexdiscoveryevasionexecutionloaderpersistencetrojanworm

    • Modifies security service

      evasion

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Windows security bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks