phorphiex | aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe
Size

10KB
MD5

371ceedfb40530d4cb6c1faf92f7b8f8
SHA1

360b758d3001095e08c0530530563b84e8a2662a
SHA256

aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e
SHA512

d473169b5bf7dab6e0c2d83445a7546af6c2ab097af157c301b8a9ce7da8800362d27ee87012b9c6e2cbee81fe3cf3ad575d0b1ade1f6f16fec82076830bc573
SSDEEP

96:/+spJ1887Tcymmzaby8uQd9ZDoy9+tQIHWtGW0fflSNWo1JxGET832qh9C7tCE1V:GspJ18yme8D9+6mmdNvJxTT83thu1V

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x003000000001678f-11.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2704	29494.scr
2808	sysppvrdnvs.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe
2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	29494.scr

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	29494.scr
File opened for modification	C:\Windows\sysppvrdnvs.exe	29494.scr

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2244	sc.exe
2556	sc.exe
2596	sc.exe
2716	sc.exe
3056	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29494.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2704	2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe	30
PID 2212 wrote to memory of 2704	2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe	30
PID 2212 wrote to memory of 2704	2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe	30
PID 2212 wrote to memory of 2704	2212	aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe	30
PID 2704 wrote to memory of 2808	2704	29494.scr	31
PID 2704 wrote to memory of 2808	2704	29494.scr	31
PID 2704 wrote to memory of 2808	2704	29494.scr	31
PID 2704 wrote to memory of 2808	2704	29494.scr	31
PID 2808 wrote to memory of 1744	2808	sysppvrdnvs.exe	32
PID 2808 wrote to memory of 1744	2808	sysppvrdnvs.exe	32
PID 2808 wrote to memory of 1744	2808	sysppvrdnvs.exe	32
PID 2808 wrote to memory of 1744	2808	sysppvrdnvs.exe	32
PID 2808 wrote to memory of 2592	2808	sysppvrdnvs.exe	33
PID 2808 wrote to memory of 2592	2808	sysppvrdnvs.exe	33
PID 2808 wrote to memory of 2592	2808	sysppvrdnvs.exe	33
PID 2808 wrote to memory of 2592	2808	sysppvrdnvs.exe	33
PID 2592 wrote to memory of 2556	2592	cmd.exe	36
PID 2592 wrote to memory of 2556	2592	cmd.exe	36
PID 2592 wrote to memory of 2556	2592	cmd.exe	36
PID 2592 wrote to memory of 2556	2592	cmd.exe	36
PID 1744 wrote to memory of 2564	1744	cmd.exe	37
PID 1744 wrote to memory of 2564	1744	cmd.exe	37
PID 1744 wrote to memory of 2564	1744	cmd.exe	37
PID 1744 wrote to memory of 2564	1744	cmd.exe	37
PID 2592 wrote to memory of 2596	2592	cmd.exe	38
PID 2592 wrote to memory of 2596	2592	cmd.exe	38
PID 2592 wrote to memory of 2596	2592	cmd.exe	38
PID 2592 wrote to memory of 2596	2592	cmd.exe	38
PID 2592 wrote to memory of 2716	2592	cmd.exe	39
PID 2592 wrote to memory of 2716	2592	cmd.exe	39
PID 2592 wrote to memory of 2716	2592	cmd.exe	39
PID 2592 wrote to memory of 2716	2592	cmd.exe	39
PID 2592 wrote to memory of 3056	2592	cmd.exe	40
PID 2592 wrote to memory of 3056	2592	cmd.exe	40
PID 2592 wrote to memory of 3056	2592	cmd.exe	40
PID 2592 wrote to memory of 3056	2592	cmd.exe	40
PID 2592 wrote to memory of 2244	2592	cmd.exe	41
PID 2592 wrote to memory of 2244	2592	cmd.exe	41
PID 2592 wrote to memory of 2244	2592	cmd.exe	41
PID 2592 wrote to memory of 2244	2592	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe
"C:\Users\Admin\AppData\Local\Temp\aca18e5b9cdb01ad9ad8c97fb6d43b6caa7759464f62007a7953b7dc8b54762e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\29494.scr
  "C:\Users\Admin\AppData\Local\Temp\29494.scr" /S
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2596
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2716
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3056
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29494.scr

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit