phorphiex | 6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772

General

Target

6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
Size

1.3MB
MD5

cbd0e8f0c0aefe122d41029c119624cf
SHA1

8bfafcfb05c61d27d6bf114128a891d0799dd2bd
SHA256

6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772
SHA512

8e9a5e54bb6d69c126508eb6a28ea9b6623e4e5a135360f5422498cdd31552e3105435a50de2b17fa4432f871021c40a6426c550e6ff51c86729c9344584ff2e
SSDEEP

24576:ifZIGdCrb22qa1kheV1xUDPKPiuls4keJKaDxrdIG4BBs94bVva6jL3e67:0tdCvqa7VHsjeKzG4BM4Nl/

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysppvrdnvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysppvrdnvs.exe
Phorphiex family
phorphiex

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\106348490.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysppvrdnvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2732 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

85B3.exe106348490.exesysppvrdnvs.exe

pid process

2348 85B3.exe
2908 106348490.exe
2928 sysppvrdnvs.exe
Loads dropped DLL 3 IoCs

Processes:

6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe85B3.exe

pid process

1724 6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
2348 85B3.exe
2348 85B3.exe

pid	process
2732	powershell.exe

pid	process
2348	85B3.exe
2908	106348490.exe
2928	sysppvrdnvs.exe

pid	process
1724	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
2348	85B3.exe
2348	85B3.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysppvrdnvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

106348490.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	106348490.exe

Drops file in Windows directory 2 IoCs

Processes:

106348490.exe

description ioc process

File opened for modification C:\Windows\sysppvrdnvs.exe 106348490.exe
File created C:\Windows\sysppvrdnvs.exe 106348490.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

688 sc.exe
2684 sc.exe
3060 sc.exe
2256 sc.exe
3064 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\sysppvrdnvs.exe	106348490.exe
File created	C:\Windows\sysppvrdnvs.exe	106348490.exe

pid	process
688	sc.exe
2684	sc.exe
3060	sc.exe
2256	sc.exe
3064	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sc.exepowershell.exesc.exesc.exe106348490.exesysppvrdnvs.execmd.execmd.exe6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe85B3.exesc.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	106348490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2732 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2732 powershell.exe

pid	process
2732	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2732	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe85B3.exe106348490.exesysppvrdnvs.execmd.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 2348	1724	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe	85B3.exe
PID 1724 wrote to memory of 2348	1724	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe	85B3.exe
PID 1724 wrote to memory of 2348	1724	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe	85B3.exe
PID 1724 wrote to memory of 2348	1724	6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe	85B3.exe
PID 2348 wrote to memory of 2908	2348	85B3.exe	106348490.exe
PID 2348 wrote to memory of 2908	2348	85B3.exe	106348490.exe
PID 2348 wrote to memory of 2908	2348	85B3.exe	106348490.exe
PID 2348 wrote to memory of 2908	2348	85B3.exe	106348490.exe
PID 2908 wrote to memory of 2928	2908	106348490.exe	sysppvrdnvs.exe
PID 2908 wrote to memory of 2928	2908	106348490.exe	sysppvrdnvs.exe
PID 2908 wrote to memory of 2928	2908	106348490.exe	sysppvrdnvs.exe
PID 2908 wrote to memory of 2928	2908	106348490.exe	sysppvrdnvs.exe
PID 2928 wrote to memory of 2668	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2668	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2668	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2668	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2724	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2724	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2724	2928	sysppvrdnvs.exe	cmd.exe
PID 2928 wrote to memory of 2724	2928	sysppvrdnvs.exe	cmd.exe
PID 2724 wrote to memory of 2684	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2684	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2684	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2684	2724	cmd.exe	sc.exe
PID 2668 wrote to memory of 2732	2668	cmd.exe	powershell.exe
PID 2668 wrote to memory of 2732	2668	cmd.exe	powershell.exe
PID 2668 wrote to memory of 2732	2668	cmd.exe	powershell.exe
PID 2668 wrote to memory of 2732	2668	cmd.exe	powershell.exe
PID 2724 wrote to memory of 3060	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3060	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3060	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3060	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2256	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2256	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2256	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 2256	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3064	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3064	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3064	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 3064	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 688	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 688	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 688	2724	cmd.exe	sc.exe
PID 2724 wrote to memory of 688	2724	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
"C:\Users\Admin\AppData\Local\Temp\6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\85B3.exe
  "C:\Users\Admin\AppData\Local\Temp\85B3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\106348490.exe
    C:\Users\Admin\AppData\Local\Temp\106348490.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2256
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3064
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\106348490.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\85B3.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads