phorphiex | 9a8c3fa3687c2210410fb8b3a3eb17d2280c3903abb5dc8d27612f67f04b0fb2

General

Target

0847eccd21c4fb301d08aff4ce1f0680.exe
Size

103KB
MD5

0847eccd21c4fb301d08aff4ce1f0680
SHA1

33d30d4c71a35ec681a3cc3865e656531f1eb898
SHA256

9a8c3fa3687c2210410fb8b3a3eb17d2280c3903abb5dc8d27612f67f04b0fb2
SHA512

4f35cb5d8ef86110d8c2318cf0f0f5fa22b85e76d6928d4820aca28a92a52a5cdcd66442b0cf9861413a7592c54fc782dcbbe0ab00a8a6d9f9a534f31cf99cf9
SSDEEP

768:c3MuYuJJXY8i5/6YiBwwSuY9tF9U1QFvTUE7LhKq4i0TBMMqzRCh6R1yw2C/94UR:c3Mz8UwvJA79UWv4FCIV0exfFj

Score

10^/10

phorphiex discovery evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.84/

Wallets

12gcwY6q4pv4DBbEjeQXwbhDBesLDc755VE2kyzzXRtvBvzd

18xjALsLW57DQcXSgvGE8H9iXkXYvPjSWc

3PLk48rqFRT7ZB2GZVHMJE5aiHr5jjBfZcw

39t2ndtRZKxHPHaprbe6kPaws4vs1nWA94

qz9vrpv9h2j5e6fsqwwsh8e9aaumwvql956ynh9rs9

XmgkLqGXu8HGU7tTbbwWvaJYrgvybx3eZE

DSVC6eMqTCpkaMkCVp6Yn2U7FYkU76VhKB

0xd4F8DfD1cDBa76e9ac6b3b31Ef3C6C6c3D1ea1d0

LXz2Jhi73bna54msz2zpsEpRVAh8KbeYRL

rPTusqR9SMoh7QuYfJ3EJF7Ewogp6HVJEt

TCW3T7UyyN3MWqakTPViWVRAL1kGsYyTL6

t1gE3Hz4ivvEAQMWagv5XuUMkUPcnNkuNGB

AUpwoQdnjVynLKhDkNt1TJh6sgduJnxyJy

bitcoincash:qz9vrpv9h2j5e6fsqwwsh8e9aaumwvql956ynh9rs9

46wi3NQz8eWV9HnGGKtpqKFcyGqWvLXsRP9C4oh3FgJ8M11QzmSrWWu6hW2kdredmQDYFjkJNg8t4Lye6vPuRcCsK71DPYr

GAWB6FUMRQBOF4JSVWAH6GO26C24UL5P44G3LDWK46WMFAS2TAZD7EBC

bnb1yzw7m55vrhqmmw2e0xpven8q49u8m63prv3hhz

bc1q4eym03072yk0zahdm9jym28vk0dxwyvs57sr6g

Attributes

mutex
hh3gg3h
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

Signatures

Phorphiex payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x000000000041D000-memory.dmp	family_phorphiex
C:\Windows\wedrvcsvc.exe	family_phorphiex
behavioral1/memory/2212-10-0x0000000000400000-0x000000000041D000-memory.dmp	family_phorphiex
behavioral1/memory/2792-13-0x0000000000400000-0x000000000041D000-memory.dmp	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wedrvcsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wedrvcsvc.exe

Executes dropped EXE 1 IoCs

Processes:

wedrvcsvc.exe

pid process

2792 wedrvcsvc.exe

pid	process
2792	wedrvcsvc.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wedrvcsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wedrvcsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wedrvcsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0847eccd21c4fb301d08aff4ce1f0680.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wedrvcsvc.exe"	0847eccd21c4fb301d08aff4ce1f0680.exe

Drops file in Windows directory 2 IoCs

Processes:

0847eccd21c4fb301d08aff4ce1f0680.exe

description	ioc	process
File created	C:\Windows\wedrvcsvc.exe	0847eccd21c4fb301d08aff4ce1f0680.exe
File opened for modification	C:\Windows\wedrvcsvc.exe	0847eccd21c4fb301d08aff4ce1f0680.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0847eccd21c4fb301d08aff4ce1f0680.exewedrvcsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0847eccd21c4fb301d08aff4ce1f0680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wedrvcsvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0847eccd21c4fb301d08aff4ce1f0680.exe

description	pid	process	target process
PID 2212 wrote to memory of 2792	2212	0847eccd21c4fb301d08aff4ce1f0680.exe	wedrvcsvc.exe
PID 2212 wrote to memory of 2792	2212	0847eccd21c4fb301d08aff4ce1f0680.exe	wedrvcsvc.exe
PID 2212 wrote to memory of 2792	2212	0847eccd21c4fb301d08aff4ce1f0680.exe	wedrvcsvc.exe
PID 2212 wrote to memory of 2792	2212	0847eccd21c4fb301d08aff4ce1f0680.exe	wedrvcsvc.exe

C:\Users\Admin\AppData\Local\Temp\0847eccd21c4fb301d08aff4ce1f0680.exe
"C:\Users\Admin\AppData\Local\Temp\0847eccd21c4fb301d08aff4ce1f0680.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\wedrvcsvc.exe
  C:\Windows\wedrvcsvc.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\wedrvcsvc.exe

Filesize
103KB

MD5
0847eccd21c4fb301d08aff4ce1f0680

SHA1
33d30d4c71a35ec681a3cc3865e656531f1eb898

SHA256
9a8c3fa3687c2210410fb8b3a3eb17d2280c3903abb5dc8d27612f67f04b0fb2

SHA512
4f35cb5d8ef86110d8c2318cf0f0f5fa22b85e76d6928d4820aca28a92a52a5cdcd66442b0cf9861413a7592c54fc782dcbbe0ab00a8a6d9f9a534f31cf99cf9

Download Submit
memory/2212-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2212-9-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/2212-8-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/2212-10-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2792-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads