| File name: | 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF |
| Full analysis: | https://app.any.run/tasks/e252ba31-cc80-4ae1-a1a7-43563f153f28 |
| Verdict: | Malicious activity |
| Threats: | Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. |
| Analysis date: | October 08, 2024, 12:29:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 930C41BC0C20865AF61A95BCF0C3B289 |
| SHA1: | CECF37C3B6C76D9A79DD2A97CFC518621A6AC924 |
| SHA256: | 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF |
| SSDEEP: | 3072:TI/hMNfDU6NP/mAyp/8+62bSKI2agQw/w6EdBbyx/uTCZp9diPYRZWDTAwF76qc/:jzXF1E |
MALICIOUS
Adds path to the Windows Defender exclusion list
- sysvplervcs.exe (PID: 3076)
- cmd.exe (PID: 4756)
Changes the autorun value in the registry
- 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe (PID: 7124)
Changes the Windows auto-update feature
- sysvplervcs.exe (PID: 3076)
Changes Security Center notification settings
- sysvplervcs.exe (PID: 3076)
PHORPIEX has been detected (YARA)
- sysvplervcs.exe (PID: 3076)
PHORPIEX has been detected (SURICATA)
- sysvplervcs.exe (PID: 3076)
Connects to the CnC server
- sysvplervcs.exe (PID: 3076)
SUSPICIOUS
Starts itself from another location
- 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe (PID: 7124)
Executable content was dropped or overwritten
- 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe (PID: 7124)
Reads security settings of Internet Explorer
- sysvplervcs.exe (PID: 3076)
Starts CMD.EXE for commands execution
- sysvplervcs.exe (PID: 3076)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 4756)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 4756)
Connects to the server without a host name
- sysvplervcs.exe (PID: 3076)
Connects to unusual port
- sysvplervcs.exe (PID: 3076)
INFO
Checks supported languages
- 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe (PID: 7124)
- sysvplervcs.exe (PID: 3076)
The process uses the downloaded file
- 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe (PID: 7124)
- sysvplervcs.exe (PID: 3076)
- powershell.exe (PID: 3720)
Reads the computer name
- sysvplervcs.exe (PID: 3076)
Process checks computer location settings
- sysvplervcs.exe (PID: 3076)
Checks proxy server information
- sysvplervcs.exe (PID: 3076)
Creates files or folders in the user directory
- sysvplervcs.exe (PID: 3076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:05 04:05:35+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 60928 |
| InitializedDataSize: | 40960 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7940 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
136
Monitored processes
12
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 904 | sc stop WaaSMedicSvc | C:\Windows\SysWOW64\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1344 | sc stop BITS /wait | C:\Windows\SysWOW64\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2128 | sc stop wuauserv | C:\Windows\SysWOW64\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2492 | sc stop DoSvc | C:\Windows\SysWOW64\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2508 | "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait | C:\Windows\SysWOW64\cmd.exe | — | sysvplervcs.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3076 | C:\Users\admin\sysvplervcs.exe | C:\Users\admin\sysvplervcs.exe | 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 3372 | sc stop UsoSvc | C:\Windows\SysWOW64\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3720 | powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4756 | "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" | C:\Windows\SysWOW64\cmd.exe | — | sysvplervcs.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4780 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 155
Read events
9 140
Write events
15
Delete events
0
Modification events
| (PID) Process: | (7124) 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Settings |
Value: C:\Users\admin\sysvplervcs.exe | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate |
| Operation: | write | Name: | DisableWindowsUpdate |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU |
| Operation: | write | Name: | NoAutoUpdate |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU |
| Operation: | write | Name: | AlwaysAutoUpdate |
Value: 0 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU |
| Operation: | write | Name: | OverrideNotice |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallDisableNotify |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiSpywareOverride |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
| (PID) Process: | (3076) sysvplervcs.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
Executable files
1
Suspicious files
5
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7124 | 1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF.exe | C:\Users\admin\sysvplervcs.exe | executable | |
MD5:930C41BC0C20865AF61A95BCF0C3B289 | SHA256:1F2E9724DFB091059AE16C305601E21D64B5308DF76DDEF6B394573E576EF1FF | |||
| 3720 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xvnsfd21.ibv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3076 | sysvplervcs.exe | C:\Users\admin\AppData\Local\Temp\229352078.exe | binary | |
MD5:1FCB78FB6CF9720E9D9494C42142D885 | SHA256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02 | |||
| 3720 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pvy3hv32.t0l.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3720 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hiur1vgq.ume.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3076 | sysvplervcs.exe | C:\Users\admin\tbtnds.dat | binary | |
MD5:B212DF1DFBF03F226CB3A2A7153C97A4 | SHA256:3069D99AB572231CD0B0F1E0EEA8428D6DCB026E92BC14D054FD7B7910894802 | |||
| 3720 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:94EB1177F10AD3A533D742E313F0C5A2 | SHA256:69BB4D04A9342B47F6FC6AE3A222A3E3D3C51477DAA568A87030BD4E21CCC83A | |||
| 3076 | sysvplervcs.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\1[1] | binary | |
MD5:1FCB78FB6CF9720E9D9494C42142D885 | SHA256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02 | |||
| 3076 | sysvplervcs.exe | C:\Users\admin\AppData\Local\Temp\2620827997.exe | binary | |
MD5:1FCB78FB6CF9720E9D9494C42142D885 | SHA256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02 | |||
| 3720 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_guwunp0d.01b.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
60
DNS requests
8
Threats
23
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6564 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3076 | sysvplervcs.exe | GET | — | 185.215.113.66:80 | http://185.215.113.66/1 | unknown | — | — | malicious |
3076 | sysvplervcs.exe | GET | 200 | 185.215.113.66:80 | http://185.215.113.66/1 | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6564 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6564 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6564 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6564 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3076 | sysvplervcs.exe | 185.215.113.66:80 | — | 1337team Limited | SC | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3076 | sysvplervcs.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 32 |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
3076 | sysvplervcs.exe | A Network Trojan was detected | ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC |
4 ETPRO signatures available at the full report