Malware Analysis Report

2024-11-30 15:37

Sample ID 210503-mh4xyhtxtx
Target 0a6569e45a3a38f7168f4c4aa0594627.exe
SHA256 ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38

Threat Level: Known bad

The file 0a6569e45a3a38f7168f4c4aa0594627.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Worm

Phorphiex Payload

Windows security bypass

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-03 07:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-03 07:04

Reported

2021-05-03 07:07

Platform

win7v20210408

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24539.exe N/A
N/A N/A C:\7997101627193\lsass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3919826265.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\7997101627193\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\7997101627193\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\7997101627193\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\24539.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\7997101627193\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\24539.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe C:\Users\Admin\AppData\Local\Temp\24539.exe
PID 744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe C:\Users\Admin\AppData\Local\Temp\24539.exe
PID 744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe C:\Users\Admin\AppData\Local\Temp\24539.exe
PID 744 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe C:\Users\Admin\AppData\Local\Temp\24539.exe
PID 1712 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\24539.exe C:\7997101627193\lsass.exe
PID 1712 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\24539.exe C:\7997101627193\lsass.exe
PID 1712 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\24539.exe C:\7997101627193\lsass.exe
PID 1712 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\24539.exe C:\7997101627193\lsass.exe
PID 828 wrote to memory of 592 N/A C:\7997101627193\lsass.exe C:\Users\Admin\AppData\Local\Temp\3919826265.exe
PID 828 wrote to memory of 592 N/A C:\7997101627193\lsass.exe C:\Users\Admin\AppData\Local\Temp\3919826265.exe
PID 828 wrote to memory of 592 N/A C:\7997101627193\lsass.exe C:\Users\Admin\AppData\Local\Temp\3919826265.exe
PID 828 wrote to memory of 592 N/A C:\7997101627193\lsass.exe C:\Users\Admin\AppData\Local\Temp\3919826265.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe

"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"

C:\Users\Admin\AppData\Local\Temp\24539.exe

C:\Users\Admin\AppData\Local\Temp\24539.exe

C:\7997101627193\lsass.exe

C:\7997101627193\lsass.exe

C:\Users\Admin\AppData\Local\Temp\3919826265.exe

C:\Users\Admin\AppData\Local\Temp\3919826265.exe

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 86.59.21.38:80 86.59.21.38 tcp
N/A 127.0.0.1:57580 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 213.32.71.116:9030 tcp
N/A 213.32.71.116:9030 tcp
N/A 94.16.114.105:8080 94.16.114.105 tcp
N/A 195.154.252.151:443 tcp
N/A 185.183.159.99:9030 tcp
N/A 159.89.174.9:443 tcp
N/A 130.185.250.214:80 tcp
N/A 130.185.250.214:80 tcp
N/A 45.66.156.176:8443 tcp
N/A 45.66.156.176:8443 tcp
N/A 23.129.64.201:80 23.129.64.201 tcp
N/A 45.66.156.176:8443 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 45.66.156.176:8443 tcp
N/A 62.210.177.189:9030 tcp
N/A 62.210.177.189:9030 tcp
N/A 213.32.71.116:9030 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp

Files

memory/744-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

\Users\Admin\AppData\Local\Temp\24539.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

memory/1712-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\24539.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

C:\Users\Admin\AppData\Local\Temp\24539.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

\7997101627193\lsass.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

memory/828-66-0x0000000000000000-mapping.dmp

C:\7997101627193\lsass.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

C:\7997101627193\lsass.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

\Users\Admin\AppData\Local\Temp\3919826265.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

memory/592-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3919826265.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-03 07:04

Reported

2021-05-03 07:07

Platform

win10v20210410

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16719.exe N/A
N/A N/A C:\182661816626241\lsass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1598816216.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\182661816626241\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\182661816626241\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\182661816626241\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\16719.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\182661816626241\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\16719.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe

"C:\Users\Admin\AppData\Local\Temp\0a6569e45a3a38f7168f4c4aa0594627.exe"

C:\Users\Admin\AppData\Local\Temp\16719.exe

C:\Users\Admin\AppData\Local\Temp\16719.exe

C:\182661816626241\lsass.exe

C:\182661816626241\lsass.exe

C:\Users\Admin\AppData\Local\Temp\1598816216.exe

C:\Users\Admin\AppData\Local\Temp\1598816216.exe

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 62.210.177.189:9030 tcp
N/A 127.0.0.1:52087 tcp
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 193.11.164.243:9030 193.11.164.243 tcp
N/A 73.103.18.182:9001 tcp
N/A 148.251.237.219:443 tcp
N/A 95.111.254.9:19001 tcp
N/A 95.216.15.16:9001 tcp
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 141.255.162.34:8080 tcp
N/A 149.56.45.200:9030 149.56.45.200 tcp
N/A 83.212.102.114:29950 tcp
N/A 185.177.151.42:443 tcp
N/A 127.0.0.1:52087 tcp
N/A 62.210.177.189:9030 tcp
N/A 130.185.250.214:80 tcp
N/A 23.129.64.201:80 23.129.64.201 tcp
N/A 95.143.193.125:80 95.143.193.125 tcp
N/A 78.47.226.12:443 tcp
N/A 185.181.160.216:9001 tcp
N/A 127.0.0.1:52087 tcp
N/A 141.255.162.34:8080 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 149.56.45.200:9030 149.56.45.200 tcp
N/A 23.129.64.201:80 23.129.64.201 tcp
N/A 51.158.68.56:443 tcp
N/A 88.88.79.167:80 tcp
N/A 199.58.81.140:80 199.58.81.140 tcp
N/A 127.0.0.1:52087 tcp
N/A 131.188.40.189:443 131.188.40.189 tcp
N/A 95.217.42.50:1067 tcp

Files

memory/1392-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\16719.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

C:\Users\Admin\AppData\Local\Temp\16719.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

memory/3708-117-0x0000000000000000-mapping.dmp

C:\182661816626241\lsass.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

C:\182661816626241\lsass.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

memory/3800-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1598816216.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

C:\Users\Admin\AppData\Local\Temp\1598816216.exe

MD5 ee0a1ec859b753abc30847157d81f37c
SHA1 2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256 abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512 6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc