Malware Analysis Report

2024-11-30 15:09

Sample ID 210105-682gy9h2fe
Target 85c4f05bdc2c39858288c67d41db3e86.exe
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f

Threat Level: Known bad

The file 85c4f05bdc2c39858288c67d41db3e86.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex family

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-01-05 09:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-01-05 09:11

Reported

2021-01-05 09:13

Platform

win7v20201028

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\26490211649160\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\26490211649160\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\26490211649160\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\26490211649160\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\26490211649160\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe

"C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe"

C:\26490211649160\svchost.exe

C:\26490211649160\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp

Files

memory/516-2-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

\26490211649160\svchost.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

memory/612-4-0x0000000000000000-mapping.dmp

C:\26490211649160\svchost.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

C:\26490211649160\svchost.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

Analysis: behavioral2

Detonation Overview

Submitted

2021-01-05 09:11

Reported

2021-01-05 09:13

Platform

win10v20201028

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\12578222777484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1550827266.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2896812604.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\12578222777484\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\12578222777484\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\12578222777484\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\12578222777484\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe

"C:\Users\Admin\AppData\Local\Temp\85c4f05bdc2c39858288c67d41db3e86.exe"

C:\12578222777484\svchost.exe

C:\12578222777484\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1550827266.exe

C:\Users\Admin\AppData\Local\Temp\1550827266.exe

C:\Users\Admin\AppData\Local\Temp\2896812604.exe

C:\Users\Admin\AppData\Local\Temp\2896812604.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 8.8.8.8:53 tsrv3.ru udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tsrv4.ws udp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 8.8.8.8:53 tsrv5.top udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 thaus.ws udp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 8.8.8.8:53 zzruuoooshfrohu.su udp
N/A 185.215.113.10:80 zzruuoooshfrohu.su tcp
N/A 185.215.113.10:80 zzruuoooshfrohu.su tcp
N/A 185.215.113.10:80 zzruuoooshfrohu.su tcp
N/A 8.8.8.8:53 tldrbox.top udp
N/A 185.215.113.10:80 tldrbox.top tcp
N/A 185.215.113.10:80 tldrbox.top tcp
N/A 185.215.113.10:80 tldrbox.top tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp
N/A 64.70.19.203:80 thaus.ws tcp

Files

memory/2176-2-0x0000000000000000-mapping.dmp

C:\12578222777484\svchost.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

C:\12578222777484\svchost.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

memory/1524-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1550827266.exe

MD5 aae9266606e374ae05f2ecc10b70eb17
SHA1 6e8e2b70148f5b744a5dab88fe0a299d59981762
SHA256 bd629f05bd6765c65329ca045e29751139246ea867b803b2cecabf629caeef40
SHA512 9a5af78453eebbd78312c7a70669227fcda6ad3cd79180ed6694d11c78aacdcca9d5b808f586ae2018aec6a0e3e0c26f4d976610449bb70c5e84a5ad48c621a4

C:\Users\Admin\AppData\Local\Temp\1550827266.exe

MD5 aae9266606e374ae05f2ecc10b70eb17
SHA1 6e8e2b70148f5b744a5dab88fe0a299d59981762
SHA256 bd629f05bd6765c65329ca045e29751139246ea867b803b2cecabf629caeef40
SHA512 9a5af78453eebbd78312c7a70669227fcda6ad3cd79180ed6694d11c78aacdcca9d5b808f586ae2018aec6a0e3e0c26f4d976610449bb70c5e84a5ad48c621a4

memory/1524-8-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1524-9-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/1524-10-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2212-14-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2896812604.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757

C:\Users\Admin\AppData\Local\Temp\2896812604.exe

MD5 85c4f05bdc2c39858288c67d41db3e86
SHA1 7ccf8a4822b6122a16d7252033da3536145715de
SHA256 7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512 d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757