Malware Analysis Report

2024-11-30 15:35

Sample ID 201230-r942tjcd4a
Target 24fe67e5b75b240e8bc12d76fe5b1e42.exe
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945

Threat Level: Known bad

The file 24fe67e5b75b240e8bc12d76fe5b1e42.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex Worm

Windows security bypass

Phorphiex family

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-30 08:59

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-30 08:59

Reported

2020-12-30 09:01

Platform

win10v20201028

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\9918135313659\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\9918135313659\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\9918135313659\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\9918135313659\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe C:\9918135313659\svchost.exe
PID 1812 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe C:\9918135313659\svchost.exe
PID 1812 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe C:\9918135313659\svchost.exe
PID 3112 wrote to memory of 3044 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2346221524.exe
PID 3112 wrote to memory of 3044 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2346221524.exe
PID 3112 wrote to memory of 3044 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2346221524.exe
PID 3112 wrote to memory of 3728 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2954921339.exe
PID 3112 wrote to memory of 3728 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2954921339.exe
PID 3112 wrote to memory of 3728 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\2954921339.exe
PID 3112 wrote to memory of 3624 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\3950212576.exe
PID 3112 wrote to memory of 3624 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\3950212576.exe
PID 3112 wrote to memory of 3624 N/A C:\9918135313659\svchost.exe C:\Users\Admin\AppData\Local\Temp\3950212576.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe

"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"

C:\9918135313659\svchost.exe

C:\9918135313659\svchost.exe

C:\Users\Admin\AppData\Local\Temp\2346221524.exe

C:\Users\Admin\AppData\Local\Temp\2346221524.exe

C:\Users\Admin\AppData\Local\Temp\2954921339.exe

C:\Users\Admin\AppData\Local\Temp\2954921339.exe

C:\Users\Admin\AppData\Local\Temp\3950212576.exe

C:\Users\Admin\AppData\Local\Temp\3950212576.exe

Network

Country Destination Domain Proto
N/A 52.109.8.19:443 nexusrules.officeapps.live.com tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 13.107.42.23:443 config.edge.skype.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 93.149.120.214:80 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 8.8.8.8:53 worm.ws udp
N/A 185.215.113.10:80 worm.ws tcp
N/A 185.215.113.10:80 worm.ws tcp
N/A 52.109.76.31:443 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 worm.ws tcp

Files

memory/3112-2-0x0000000000000000-mapping.dmp

C:\9918135313659\svchost.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

C:\9918135313659\svchost.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

memory/3044-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2346221524.exe

MD5 8ac7a52eb2c383cadf0c354baac99c7e
SHA1 9a3f20984e1c6f94d96612fc9cdd257e30778dbb
SHA256 6f42515b1bf9036478c4dc7470d34f88b2fd6e8be9564cc27b4881b78dc10b21
SHA512 517771cc5b5e1f53ea9522720b07efe29f222254fa857db8fc4a4899b6ad5b93d14af451f25050e817f0774de3c4ad3827d91eb6936ecc52247cac386635313e

C:\Users\Admin\AppData\Local\Temp\2346221524.exe

MD5 8ac7a52eb2c383cadf0c354baac99c7e
SHA1 9a3f20984e1c6f94d96612fc9cdd257e30778dbb
SHA256 6f42515b1bf9036478c4dc7470d34f88b2fd6e8be9564cc27b4881b78dc10b21
SHA512 517771cc5b5e1f53ea9522720b07efe29f222254fa857db8fc4a4899b6ad5b93d14af451f25050e817f0774de3c4ad3827d91eb6936ecc52247cac386635313e

memory/3044-8-0x0000000003040000-0x0000000003041000-memory.dmp

memory/3044-9-0x0000000003840000-0x0000000003841000-memory.dmp

memory/3044-10-0x0000000003040000-0x0000000003041000-memory.dmp

memory/3728-14-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2954921339.exe

MD5 9ec5e11ee05cc51cd938b3a95778433d
SHA1 28bd50e7a16e6c2fceb297ea6f5849294c3f6724
SHA256 b8017eed73c59ca50d16278691571323d5cb801e1bef2ba7c74a3df523268144
SHA512 2925b3141ac9d8be2fdb7dee42d2707c3341c0474174c552e893780a2787fae39f31b3dd5dc93f4e339e7d96d7a49cb26a7128df2aa7afd325a038e35756a922

C:\Users\Admin\AppData\Local\Temp\2954921339.exe

MD5 9ec5e11ee05cc51cd938b3a95778433d
SHA1 28bd50e7a16e6c2fceb297ea6f5849294c3f6724
SHA256 b8017eed73c59ca50d16278691571323d5cb801e1bef2ba7c74a3df523268144
SHA512 2925b3141ac9d8be2fdb7dee42d2707c3341c0474174c552e893780a2787fae39f31b3dd5dc93f4e339e7d96d7a49cb26a7128df2aa7afd325a038e35756a922

memory/3624-17-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3950212576.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

C:\Users\Admin\AppData\Local\Temp\3950212576.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-30 08:59

Reported

2020-12-30 09:01

Platform

win7v20201028

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\11419251091121\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\11419251091121\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\11419251091121\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\11419251091121\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe

"C:\Users\Admin\AppData\Local\Temp\24fe67e5b75b240e8bc12d76fe5b1e42.exe"

C:\11419251091121\svchost.exe

C:\11419251091121\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp

Files

memory/1364-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

\11419251091121\svchost.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

memory/756-4-0x0000000000000000-mapping.dmp

C:\11419251091121\svchost.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5

C:\11419251091121\svchost.exe

MD5 24fe67e5b75b240e8bc12d76fe5b1e42
SHA1 f5d4f5967a4daa68cc5a9b5323baffd3bc8d3c1d
SHA256 7e663d31d2d1fb89bb88dfa65fea415d754e5a9e6d804cf99c59d98f95580945
SHA512 a605227ea20c041cffe26740a6f56ca45823e3450a7945d636af890b7162a16be88aa766c7347a55199f4b43b83493a089a91d53bde69ef3099670a47497f6b5