phorphiex | 6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8e

Analysis

max time kernel
104s
max time network
107s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/11/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe
Size

10KB
MD5

ed9fbbbe548c41479cb70e4d694793d0
SHA1

a0bde162d2241ab2acb58544511a41df30a096a7
SHA256

6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8e
SHA512

49652367fec13a1e7a188fd039bf8a9fae6be72fdc31e7597bbcfdf30375277f6a7e09b74bd5a2adf1696cf720998c751b7e1671afa3a59c4dfa7069bca543fb
SSDEEP

192:Jd94uPG8E1CDSnzmgp+eMwY46BJxT43thW:394u5SCDSnJo+c83

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.84

http://185.215.113.66

185.215.113.66

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c1a-7.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
2616	powershell.exe
2788	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2724	14428.scr
2752	sysppvrdnvs.exe
1064	332903587.exe
2592	2562028702.exe
1816	2043720185.exe
2284	1177813584.exe

Loads dropped DLL 6 IoCs

pid	Process
1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe
1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe
2752	sysppvrdnvs.exe
2752	sysppvrdnvs.exe
2752	sysppvrdnvs.exe
1816	2043720185.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	14428.scr

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	14428.scr
File opened for modification	C:\Windows\sysppvrdnvs.exe	14428.scr

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2624	sc.exe
2672	sc.exe
2640	sc.exe
2732	sc.exe
2896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14428.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2043720185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1192	schtasks.exe
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	powershell.exe
1064	332903587.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1064	332903587.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2724	1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe	32
PID 1116 wrote to memory of 2724	1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe	32
PID 1116 wrote to memory of 2724	1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe	32
PID 1116 wrote to memory of 2724	1116	6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe	32
PID 2724 wrote to memory of 2752	2724	14428.scr	33
PID 2724 wrote to memory of 2752	2724	14428.scr	33
PID 2724 wrote to memory of 2752	2724	14428.scr	33
PID 2724 wrote to memory of 2752	2724	14428.scr	33
PID 2752 wrote to memory of 2656	2752	sysppvrdnvs.exe	34
PID 2752 wrote to memory of 2656	2752	sysppvrdnvs.exe	34
PID 2752 wrote to memory of 2656	2752	sysppvrdnvs.exe	34
PID 2752 wrote to memory of 2656	2752	sysppvrdnvs.exe	34
PID 2752 wrote to memory of 2824	2752	sysppvrdnvs.exe	36
PID 2752 wrote to memory of 2824	2752	sysppvrdnvs.exe	36
PID 2752 wrote to memory of 2824	2752	sysppvrdnvs.exe	36
PID 2752 wrote to memory of 2824	2752	sysppvrdnvs.exe	36
PID 2656 wrote to memory of 2788	2656	cmd.exe	39
PID 2656 wrote to memory of 2788	2656	cmd.exe	39
PID 2656 wrote to memory of 2788	2656	cmd.exe	39
PID 2656 wrote to memory of 2788	2656	cmd.exe	39
PID 2824 wrote to memory of 2896	2824	cmd.exe	38
PID 2824 wrote to memory of 2896	2824	cmd.exe	38
PID 2824 wrote to memory of 2896	2824	cmd.exe	38
PID 2824 wrote to memory of 2896	2824	cmd.exe	38
PID 2824 wrote to memory of 2732	2824	cmd.exe	40
PID 2824 wrote to memory of 2732	2824	cmd.exe	40
PID 2824 wrote to memory of 2732	2824	cmd.exe	40
PID 2824 wrote to memory of 2732	2824	cmd.exe	40
PID 2824 wrote to memory of 2624	2824	cmd.exe	41
PID 2824 wrote to memory of 2624	2824	cmd.exe	41
PID 2824 wrote to memory of 2624	2824	cmd.exe	41
PID 2824 wrote to memory of 2624	2824	cmd.exe	41
PID 2824 wrote to memory of 2640	2824	cmd.exe	42
PID 2824 wrote to memory of 2640	2824	cmd.exe	42
PID 2824 wrote to memory of 2640	2824	cmd.exe	42
PID 2824 wrote to memory of 2640	2824	cmd.exe	42
PID 2824 wrote to memory of 2672	2824	cmd.exe	43
PID 2824 wrote to memory of 2672	2824	cmd.exe	43
PID 2824 wrote to memory of 2672	2824	cmd.exe	43
PID 2824 wrote to memory of 2672	2824	cmd.exe	43
PID 2752 wrote to memory of 1064	2752	sysppvrdnvs.exe	45
PID 2752 wrote to memory of 1064	2752	sysppvrdnvs.exe	45
PID 2752 wrote to memory of 1064	2752	sysppvrdnvs.exe	45
PID 2752 wrote to memory of 1064	2752	sysppvrdnvs.exe	45
PID 1064 wrote to memory of 640	1064	332903587.exe	46
PID 1064 wrote to memory of 640	1064	332903587.exe	46
PID 1064 wrote to memory of 640	1064	332903587.exe	46
PID 1064 wrote to memory of 2504	1064	332903587.exe	48
PID 1064 wrote to memory of 2504	1064	332903587.exe	48
PID 1064 wrote to memory of 2504	1064	332903587.exe	48
PID 640 wrote to memory of 968	640	cmd.exe	50
PID 640 wrote to memory of 968	640	cmd.exe	50
PID 640 wrote to memory of 968	640	cmd.exe	50
PID 2504 wrote to memory of 2424	2504	cmd.exe	51
PID 2504 wrote to memory of 2424	2504	cmd.exe	51
PID 2504 wrote to memory of 2424	2504	cmd.exe	51
PID 2752 wrote to memory of 2592	2752	sysppvrdnvs.exe	52
PID 2752 wrote to memory of 2592	2752	sysppvrdnvs.exe	52
PID 2752 wrote to memory of 2592	2752	sysppvrdnvs.exe	52
PID 2752 wrote to memory of 2592	2752	sysppvrdnvs.exe	52
PID 2752 wrote to memory of 1816	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 1816	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 1816	2752	sysppvrdnvs.exe	53
PID 2752 wrote to memory of 1816	2752	sysppvrdnvs.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe
"C:\Users\Admin\AppData\Local\Temp\6fc8b5b8a90cf8ba7e0eb930fcdde776f8eeb3f37913318df7766a365e13fa8eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\14428.scr
  "C:\Users\Admin\AppData\Local\Temp\14428.scr" /S
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2896
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2732
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2624
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\332903587.exe
      C:\Users\Admin\AppData\Local\Temp\332903587.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\2562028702.exe
      C:\Users\Admin\AppData\Local\Temp\2562028702.exe
      4⤵
      Executes dropped EXE
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\2043720185.exe
      C:\Users\Admin\AppData\Local\Temp\2043720185.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\1177813584.exe
        
        C:\Users\Admin\AppData\Local\Temp\1177813584.exe
        5⤵
        Executes dropped EXE
        
        PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\3175411562.exe
      C:\Users\Admin\AppData\Local\Temp\3175411562.exe
      4⤵
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\2931911655.exe
        
        C:\Users\Admin\AppData\Local\Temp\2931911655.exe
        5⤵
        
        PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2712
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1192

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:2812

C:\Windows\system32\taskeng.exe
taskeng.exe {FFD67565-A6DD-4BAA-8BFF-B1F9253DB0AA} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:2016
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2616
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2632

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1177813584.exe

Filesize
2.4MB

MD5
76f9e5d2054c17224e3f3ee493dc5fae

SHA1
a288f53d69d6e21cb63f4d20833988fcaa65599e

SHA256
a091f37fad417a83ba78fdd654f7fcc1ee71f1ee5e6b5fc14111006657510341

SHA512
26f65a558277849524bdb5718637775f5dcd16b52aebf0e0b5b8b4de5afaae121da376f88a7cbf41f746f7cd7b084fa3c0bf559d94dd388737062d245e37fcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1177813584.exe

Filesize
1.4MB

MD5
4ebaca75b7044b616df4a3b7e39d1696

SHA1
65d2f102ad1771120f62d8bce9cb8587f37f3cec

SHA256
a894db59ca9765eef5f53fced655cc397290a4ad3f88abec5cf1f2ac5e304611

SHA512
e1ebf86b928f92b67f54387e48aff6122307ed05955ccafc7550671ff464bce372792c6c3dfba2fa143754cc3defa461a5318cc51113421d71825a37242fa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3175411562.exe

Filesize
10KB

MD5
9580f5630f5383337a9efdbf24171d42

SHA1
a51f16aa488d94704ecfd7673c334e374bf5c7d0

SHA256
c84a19852193f173a5af1aa326f81f0a26994f76a5daa00f4a29602e6c82664d

SHA512
0238a38c7dacca264ffca5b5f7e4bb3370dd28e5417e7919314fb442479e54a87a660c456f4256b96f4f4f16d1ca7502e9221e1e2afbe2d0bb8ab45172228ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PZHT2L22NDW33YVQWDQY.temp

Filesize
7KB

MD5
62c0f9ae7478ecd1e6fff77e1f20bdfe

SHA1
0f51b46ebe9ba2640684e49784a0404697fa6df0

SHA256
24d2f5777c633f033f24bae7eafd7689e74302d65534c7dc1b68dc62b3d927fa

SHA512
65d2285ba112a396d98172419164e086e3f4fec0ae3f2ce0b81663d305b26bddcd3055c5f54e6a226d4692ddb6d60671c3e3ec41b96444e95c76edb985f2c57b

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
1.6MB

MD5
a96f3e1b6e15b77bdd65eefee78803f7

SHA1
2a5fc3eb9f98061989e1cc99950e7bf9e247a489

SHA256
39b05d7e7b87089ca4cf394e8acc88baa6ac11f82557614f015a970a2f1d8863

SHA512
43a3948c0438902dd09981af84bf672a80173683d668fd24f605def1227048996de9647e22f7a086762ced11cb57ded44be4179f5af492f4922950c59d20c2fe

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
1.1MB

MD5
e4e7af36f92828ca9a4419403c14ceb5

SHA1
b3fb39dca904cbce4aea93f2fbb182e1156c7185

SHA256
4be3a1eb13e84ad083f22370703e81c41a165d612fc2714d0c5a4a0a1112b20d

SHA512
e4552ad4be2ece39be09aef25bec52e68995969939733f293ce67a4ea1b5d7f959bdf59db44599315b32eb5faddef7aa9460e7daac83f69d9f39a1a9a3d87cef

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
640KB

MD5
dacd041fd1df60449678019c26c20c69

SHA1
beded07388d3ce74c18770b6a43f04177ed1167e

SHA256
8572ba3181da352a9244af8b2760f8dcbe64d15b5acd2e5afe4e88da64b11191

SHA512
70a05176c662d211f6388c90f2c30b3a30c7a3e6bec1d0d1036be17c19e1d63746575e99cf57b8489cd099e0b3e2b350583bc9a2d65fa0c93a49d52eb75c4573

Download Submit
\Users\Admin\AppData\Local\Temp\1177813584.exe

Filesize
2.1MB

MD5
e9e7ff95637243098d6b6e1112b66c1b

SHA1
0d989070d8a36919dfcd85a7508526deae7b6331

SHA256
31e250800c668f2f643614d9438a75604b1438b77c3ec3f25a7e0ba1e0da51b1

SHA512
e52af30cde4e69c1335961fc21547acc929d35321ce0bcc91360153a030cb335493297d48bd8fd69db3d7c517961c433f5bffc8f860c190cd0c48e760c85969f

Download Submit
\Users\Admin\AppData\Local\Temp\14428.scr

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\2043720185.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
\Users\Admin\AppData\Local\Temp\2562028702.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\2931911655.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
\Users\Admin\AppData\Local\Temp\332903587.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
1.1MB

MD5
d894eba479ccfc3344fd7bec2c56bb47

SHA1
4476e2227a9be24ed696cb473c26a3f8c00fe7bd

SHA256
7b9ebeaaf3d6c7a14dd6ea4bab20512068a57431b5f8e284cc33e0fe409d8551

SHA512
316348111fb90825f7becaacc5e2342000705ef54241ddc5ff9a9114ed80a20adf58e04fdfb32531a3502ffd167e7827a78b14efeb5800c96cac945477aaf14a

Download Submit
memory/1064-42-0x000000013FB00000-0x000000013FB06000-memory.dmp

Filesize
24KB

Download
memory/1408-100-0x000000013FB90000-0x0000000140127000-memory.dmp

Filesize
5.6MB

Download
memory/2284-86-0x000000013F080000-0x000000013F617000-memory.dmp

Filesize
5.6MB

Download
memory/2616-95-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2616-96-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2712-76-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2712-77-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download