Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 15:28

General

  • Target

    4ea66c1fa7a5f7e03b5e5c028f757aa9bc61863c.exe

  • Size

    903KB

  • MD5

    3d6b93c4450b7b152f405e50fb321450

  • SHA1

    4ea66c1fa7a5f7e03b5e5c028f757aa9bc61863c

  • SHA256

    9d512e372cbc60a9d7ff6c44f21403dd82782f1f975444333d4870b54f23d9e7

  • SHA512

    a46a1843ab3bd3213f6146ecd6c2a4b48d90a29e95fde7ed1c2e7e3523999e6ecb71a4aaeef64b4cac658482684e9898b06cc0d4222b8c1cad86b0b4aac6dd42

  • SSDEEP

    24576:PivtCXWeGK+FGXFmUPz4s6nZ3p6NaAH/0:qtCXWPnc1mQz4s6Ziac0

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes
  • mutex

    mmn7nnm8na

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Phorphiex family
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ea66c1fa7a5f7e03b5e5c028f757aa9bc61863c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ea66c1fa7a5f7e03b5e5c028f757aa9bc61863c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\2F6A.exe
      "C:\Users\Admin\AppData\Local\Temp\2F6A.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\2920411755.exe
        C:\Users\Admin\AppData\Local\Temp\2920411755.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\sysppvrdnvs.exe
          C:\Windows\sysppvrdnvs.exe
          4⤵
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1348
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2228
            • C:\Windows\SysWOW64\sc.exe
              sc stop UsoSvc
              6⤵
              • Launches sc.exe
              • System Location Discovery: System Language Discovery
              PID:2732
            • C:\Windows\SysWOW64\sc.exe
              sc stop WaaSMedicSvc
              6⤵
              • Launches sc.exe
              • System Location Discovery: System Language Discovery
              PID:3036
            • C:\Windows\SysWOW64\sc.exe
              sc stop wuauserv
              6⤵
              • Launches sc.exe
              • System Location Discovery: System Language Discovery
              PID:1060
            • C:\Windows\SysWOW64\sc.exe
              sc stop DoSvc
              6⤵
              • Launches sc.exe
              • System Location Discovery: System Language Discovery
              PID:2996
            • C:\Windows\SysWOW64\sc.exe
              sc stop BITS /wait
              6⤵
              • Launches sc.exe
              • System Location Discovery: System Language Discovery
              PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2F6A.exe

    Filesize

    9KB

    MD5

    8d8e6c7952a9dc7c0c73911c4dbc5518

    SHA1

    9098da03b33b2c822065b49d5220359c275d5e94

    SHA256

    feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

    SHA512

    91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

  • \Users\Admin\AppData\Local\Temp\2920411755.exe

    Filesize

    83KB

    MD5

    06560b5e92d704395bc6dae58bc7e794

    SHA1

    fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

    SHA256

    9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

    SHA512

    b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3