phorphiex | 5d283fb295f9625c525061ce36a81a255d0702fe2dcae71c2cadf0ce7bc697cd

General

Target

2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe
Size

1.0MB
MD5

e3bfb350fae05724476a541ac0aff3c6
SHA1

e616580e84f3a39178a7345272d066d55fd48f75
SHA256

5d283fb295f9625c525061ce36a81a255d0702fe2dcae71c2cadf0ce7bc697cd
SHA512

d5e44b91f2eeb7825e16d5e5158f3cec893260c84b1089410b4b7204ec3907ef958f5a6852fcdaefca2509b91753856170c3f9aaafdee08013d5e686cb15f33c
SSDEEP

24576:f/ckp+7WS4qhUsEi/0uB6nKORw2blaJH2GkbBQc:f+SEm/KORwclaJH27Qc

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
x88767657x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysmysldrv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmysldrv.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3251031680.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2672 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

E35D.exe3251031680.exesysmysldrv.exe

pid process

1648 E35D.exe
2900 3251031680.exe
2940 sysmysldrv.exe
Loads dropped DLL 3 IoCs

Processes:

2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exeE35D.exe

pid process

2544 2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe
1648 E35D.exe
1648 E35D.exe

pid	process
2672	powershell.exe

pid	process
1648	E35D.exe
2900	3251031680.exe
2940	sysmysldrv.exe

pid	process
2544	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe
1648	E35D.exe
1648	E35D.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmysldrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3251031680.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe"	3251031680.exe

Drops file in Windows directory 2 IoCs

Processes:

3251031680.exe

description ioc process

File created C:\Windows\sysmysldrv.exe 3251031680.exe
File opened for modification C:\Windows\sysmysldrv.exe 3251031680.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2088 sc.exe
1320 sc.exe
2584 sc.exe
1112 sc.exe
3068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sysmysldrv.exe	3251031680.exe
File opened for modification	C:\Windows\sysmysldrv.exe	3251031680.exe

pid	process
2088	sc.exe
1320	sc.exe
2584	sc.exe
1112	sc.exe
3068	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exesc.exesc.exesc.exe2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exesysmysldrv.exepowershell.exesc.exesc.exeE35D.exe3251031680.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmysldrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E35D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3251031680.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2672 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2672 powershell.exe

pid	process
2672	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exeE35D.exe3251031680.exesysmysldrv.execmd.execmd.exe

description	pid	process	target process
PID 2544 wrote to memory of 1648	2544	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe	E35D.exe
PID 2544 wrote to memory of 1648	2544	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe	E35D.exe
PID 2544 wrote to memory of 1648	2544	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe	E35D.exe
PID 2544 wrote to memory of 1648	2544	2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe	E35D.exe
PID 1648 wrote to memory of 2900	1648	E35D.exe	3251031680.exe
PID 1648 wrote to memory of 2900	1648	E35D.exe	3251031680.exe
PID 1648 wrote to memory of 2900	1648	E35D.exe	3251031680.exe
PID 1648 wrote to memory of 2900	1648	E35D.exe	3251031680.exe
PID 2900 wrote to memory of 2940	2900	3251031680.exe	sysmysldrv.exe
PID 2900 wrote to memory of 2940	2900	3251031680.exe	sysmysldrv.exe
PID 2900 wrote to memory of 2940	2900	3251031680.exe	sysmysldrv.exe
PID 2900 wrote to memory of 2940	2900	3251031680.exe	sysmysldrv.exe
PID 2940 wrote to memory of 2596	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2596	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2596	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2596	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2656	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2656	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2656	2940	sysmysldrv.exe	cmd.exe
PID 2940 wrote to memory of 2656	2940	sysmysldrv.exe	cmd.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2672	2596	cmd.exe	powershell.exe
PID 2656 wrote to memory of 1112	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1112	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1112	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1112	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 3068	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 3068	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 3068	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 3068	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2088	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2088	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2088	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2088	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1320	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1320	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1320	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 1320	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2584	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2584	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2584	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2584	2656	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-27_e3bfb350fae05724476a541ac0aff3c6_avoslocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\E35D.exe
  "C:\Users\Admin\AppData\Local\Temp\E35D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\3251031680.exe
    C:\Users\Admin\AppData\Local\Temp\3251031680.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\sysmysldrv.exe
      C:\Windows\sysmysldrv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1112
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3068
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\3251031680.exe

Filesize
92KB

MD5
be9388b42333b3d4e163b0ace699897b

SHA1
4e1109772eb9cb59c557380822166fe1664403bd

SHA256
d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f

SHA512
5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a

Download Submit
\Users\Admin\AppData\Local\Temp\E35D.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads