Malware Analysis Report

2024-11-30 15:07

Sample ID 201106-tfkylncnvj
Target SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8

Threat Level: Known bad

The file SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-06 00:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-06 00:52

Reported

2020-11-06 06:10

Platform

win7v20201028

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"

Signatures

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\263841395013389\winsvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\263841395013389\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\263841395013389\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\263841395013389\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\263841395013389\winsvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\263841395013389\\winsvcs.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"

C:\263841395013389\winsvcs.exe

C:\263841395013389\winsvcs.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 trik.ws udp
N/A 217.8.117.10:80 trik.ws tcp
N/A 8.8.8.8:53 304049943.ws udp
N/A 64.70.19.203:80 304049943.ws tcp
N/A 64.70.19.203:80 304049943.ws tcp
N/A 64.70.19.203:80 304049943.ws tcp

Files

\263841395013389\winsvcs.exe

MD5 0330ca15737b3fb862072cfa22bafe01
SHA1 633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512 63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

C:\263841395013389\winsvcs.exe

MD5 0330ca15737b3fb862072cfa22bafe01
SHA1 633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512 63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

memory/1224-1-0x0000000000000000-mapping.dmp

C:\263841395013389\winsvcs.exe

MD5 0330ca15737b3fb862072cfa22bafe01
SHA1 633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512 63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

memory/1200-4-0x000007FEF5D00000-0x000007FEF5F7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-06 00:52

Reported

2020-11-06 06:10

Platform

win10v20201028

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"

Signatures

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\16052180817149\winsvcs.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\16052180817149\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\16052180817149\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\16052180817149\winsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\16052180817149\winsvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\16052180817149\\winsvcs.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\16052180817149\\winsvcs.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.30324.20733.exe"

C:\16052180817149\winsvcs.exe

C:\16052180817149\winsvcs.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 trik.ws udp
N/A 217.8.117.10:80 trik.ws tcp
N/A 8.8.8.8:53 304049943.ws udp
N/A 64.70.19.203:80 304049943.ws tcp
N/A 64.70.19.203:80 304049943.ws tcp
N/A 64.70.19.203:80 304049943.ws tcp

Files

memory/1956-0-0x0000000000000000-mapping.dmp

C:\16052180817149\winsvcs.exe

MD5 0330ca15737b3fb862072cfa22bafe01
SHA1 633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512 63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44

C:\16052180817149\winsvcs.exe

MD5 0330ca15737b3fb862072cfa22bafe01
SHA1 633026b9467600e9617e76e3e8dfaebe5ac9f91f
SHA256 cacec7cf35fc455c63afb772f3ef8084c2badfcd73d68d9d17878017eeaa21d8
SHA512 63b4180d2a5478d8a86ddae7db1bb356083a3eb83fe7a91d012996ffe434fdadcf321c94bc30aeff1fc6fd4c5c51c1cf8107a0c98cb1be2f2b0bbacbffb95a44