phorphiex | 8c8ef3881ab44057b4972c9112f73e334c664dace19295c5755f5a38ea6191d7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2df00e788749ba0f2ca8c29a35030c.exe
Size

74KB
MD5

ff2df00e788749ba0f2ca8c29a35030c
SHA1

9638e9861cdd6a8b5e4aad28739ebd62ab12b6a1
SHA256

8c8ef3881ab44057b4972c9112f73e334c664dace19295c5755f5a38ea6191d7
SHA512

76e3323f797e557a72be2242961829f410c17be3b7d605075c0c05676d8a0fca6d108e47fb250219da010f0ad64c92f56d8db3b6f913b7c5000591434ec253db
SSDEEP

192:H5w4ZVQffbuVBiRAljEEJxTqthTcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPcPx:H5w4ZV0G06uEuOm6S6666

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysvplervcs.exe

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x003400000001487e-4.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2620	20791.scr
2704	sysvplervcs.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	ff2df00e788749ba0f2ca8c29a35030c.exe
2228	ff2df00e788749ba0f2ca8c29a35030c.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	20791.scr

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysvplervcs.exe	20791.scr
File opened for modification	C:\Windows\sysvplervcs.exe	20791.scr

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2504	sc.exe
2820	sc.exe
2660	sc.exe
836	sc.exe
2492	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20791.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff2df00e788749ba0f2ca8c29a35030c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysvplervcs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2620	2228	ff2df00e788749ba0f2ca8c29a35030c.exe	28
PID 2228 wrote to memory of 2620	2228	ff2df00e788749ba0f2ca8c29a35030c.exe	28
PID 2228 wrote to memory of 2620	2228	ff2df00e788749ba0f2ca8c29a35030c.exe	28
PID 2228 wrote to memory of 2620	2228	ff2df00e788749ba0f2ca8c29a35030c.exe	28
PID 2620 wrote to memory of 2704	2620	20791.scr	29
PID 2620 wrote to memory of 2704	2620	20791.scr	29
PID 2620 wrote to memory of 2704	2620	20791.scr	29
PID 2620 wrote to memory of 2704	2620	20791.scr	29
PID 2704 wrote to memory of 1044	2704	sysvplervcs.exe	30
PID 2704 wrote to memory of 1044	2704	sysvplervcs.exe	30
PID 2704 wrote to memory of 1044	2704	sysvplervcs.exe	30
PID 2704 wrote to memory of 1044	2704	sysvplervcs.exe	30
PID 2704 wrote to memory of 2712	2704	sysvplervcs.exe	32
PID 2704 wrote to memory of 2712	2704	sysvplervcs.exe	32
PID 2704 wrote to memory of 2712	2704	sysvplervcs.exe	32
PID 2704 wrote to memory of 2712	2704	sysvplervcs.exe	32
PID 1044 wrote to memory of 2520	1044	cmd.exe	35
PID 1044 wrote to memory of 2520	1044	cmd.exe	35
PID 1044 wrote to memory of 2520	1044	cmd.exe	35
PID 1044 wrote to memory of 2520	1044	cmd.exe	35
PID 2712 wrote to memory of 2820	2712	cmd.exe	34
PID 2712 wrote to memory of 2820	2712	cmd.exe	34
PID 2712 wrote to memory of 2820	2712	cmd.exe	34
PID 2712 wrote to memory of 2820	2712	cmd.exe	34
PID 2712 wrote to memory of 2660	2712	cmd.exe	36
PID 2712 wrote to memory of 2660	2712	cmd.exe	36
PID 2712 wrote to memory of 2660	2712	cmd.exe	36
PID 2712 wrote to memory of 2660	2712	cmd.exe	36
PID 2712 wrote to memory of 836	2712	cmd.exe	37
PID 2712 wrote to memory of 836	2712	cmd.exe	37
PID 2712 wrote to memory of 836	2712	cmd.exe	37
PID 2712 wrote to memory of 836	2712	cmd.exe	37
PID 2712 wrote to memory of 2492	2712	cmd.exe	38
PID 2712 wrote to memory of 2492	2712	cmd.exe	38
PID 2712 wrote to memory of 2492	2712	cmd.exe	38
PID 2712 wrote to memory of 2492	2712	cmd.exe	38
PID 2712 wrote to memory of 2504	2712	cmd.exe	39
PID 2712 wrote to memory of 2504	2712	cmd.exe	39
PID 2712 wrote to memory of 2504	2712	cmd.exe	39
PID 2712 wrote to memory of 2504	2712	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\ff2df00e788749ba0f2ca8c29a35030c.exe
"C:\Users\Admin\AppData\Local\Temp\ff2df00e788749ba0f2ca8c29a35030c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\20791.scr
  "C:\Users\Admin\AppData\Local\Temp\20791.scr" /S
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\sysvplervcs.exe
    C:\Windows\sysvplervcs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2820
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:836
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2492
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20791.scr

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit