phorphiex | 80a2f5e6f0d6e2577808ccd5b850ddb8703573422fe72539c344bcc16f82e4df

General

Target

syscceb.exe
Size

480KB
MD5

34e58603627f492a9602130f25025f96
SHA1

ded14cfd26427f6d57721560f90fbbd288a98551
SHA256

80a2f5e6f0d6e2577808ccd5b850ddb8703573422fe72539c344bcc16f82e4df
SHA512

b0938c35699021b67d4f44acca6417c0fe4404aa8e190689d080ecb7381825053d7e5151cc1c7575e5cc3cc27207545ed2a6c5a325bfa1d377aad468e3dd28fe
SSDEEP

12288:ziTWzHoGfF4MRqtg681Xb7nEyOX6JryOAxAa:zvfF4K7D53nyX6S5

Score

10^/10

phorphiex discovery evasion loader trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.176.27.132/

http://urusurofhsorhfuuhk.su/

http://aeifaeifhutuhuhusk.su/

http://rzhsudhugugfugugsk.su/

http://bfagzzezgaegzgfaik.su/

http://eaeuafhuaegfugeudk.su/

http://aeufuaehfiuehfuhfk.su/

http://daedagheauehfuuhfk.su/

http://aeoughaoheguaoehdk.su/

http://eguaheoghouughahsk.su/

http://huaeokaefoaeguaehk.su/

http://afaeigaifgsgrhhafk.su/

http://afaigaeigieufuifik.su/

http://geauhouefheuutiiik.su/

http://gaoheeuofhefefhutk.su/

http://gaouehaehfoaeajrsk.su/

http://gaohrhurhuhruhfsdk.su/

http://gaghpaheiafhjefijk.su/

http://gaoehuoaoefhuhfugk.su/

http://aegohaohuoruitiiek.su/

Wallets

13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa

qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99

XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE

DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc

0x373b9854c9e4511b920372f5495640cdc25d6832

LSermtCTLWeS683x17AtYuhNT8MpMmVmi8

t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	syscceb.exe

Phorphiex family
phorphiex

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral1/memory/2072-2-0x0000000000350000-0x000000000035E000-memory.dmp	family_phorphiex
behavioral1/memory/2072-4-0x0000000000350000-0x000000000035E000-memory.dmp	family_phorphiex
behavioral1/memory/2072-22-0x0000000000350000-0x000000000035E000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syscceb.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syscceb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syscceb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syscceb.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe
2072	syscceb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	syscceb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2072	syscceb.exe
2072	syscceb.exe

C:\Users\Admin\AppData\Local\Temp\syscceb.exe
"C:\Users\Admin\AppData\Local\Temp\syscceb.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2072-1-0x0000000000451000-0x0000000000459000-memory.dmp

Filesize
32KB

Download
memory/2072-2-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2072-4-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2072-5-0x0000000000451000-0x0000000000459000-memory.dmp

Filesize
32KB

Download
memory/2072-22-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads