Malware Analysis Report

2024-11-30 15:37

Sample ID 210203-m1z3hkw9jj
Target ca11a2960b914f9e95a38cfa78aaa6e8.exe
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

Threat Level: Known bad

The file ca11a2960b914f9e95a38cfa78aaa6e8.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex Payload

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-03 01:29

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-03 01:29

Reported

2021-02-03 01:32

Platform

win7v20201028

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\28568115171376\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\28568115171376\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\28568115171376\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28568115171376\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\28568115171376\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

C:\28568115171376\svchost.exe

C:\28568115171376\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 8.8.8.8:53 tsrv3.ru udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tsrv4.ws udp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp

Files

memory/740-2-0x0000000075E51000-0x0000000075E53000-memory.dmp

memory/1220-3-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

\28568115171376\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

C:\28568115171376\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

memory/1460-5-0x0000000000000000-mapping.dmp

C:\28568115171376\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-03 01:29

Reported

2021-02-03 01:32

Platform

win10v20201028

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\276982033027597\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\276982033027597\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\276982033027597\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\276982033027597\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\276982033027597\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

C:\276982033027597\svchost.exe

C:\276982033027597\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 8.8.8.8:53 tsrv3.ru udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tsrv4.ws udp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tcp

Files

memory/2288-2-0x0000000000000000-mapping.dmp

C:\276982033027597\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

C:\276982033027597\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a