Analysis Overview
SHA256
0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
Threat Level: Known bad
The file 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 was found to be: Known bad.
Malicious Activity Summary
Phorphiex Worm
Modifies Windows Defender Real-time Protection settings
Phorphiex Payload
Windows security bypass
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 07:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 07:01
Reported
2021-05-11 07:04
Platform
win7v20210410
Max time kernel
138s
Max time network
53s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\19483196521428\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\19483196521428\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\19483196521428\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zfm.exe | C:\Windows\19483196521428\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zg.exe | C:\Windows\19483196521428\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\19483196521428\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| File opened for modification | C:\Windows\19483196521428\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| File opened for modification | C:\Windows\19483196521428 | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\19483196521428\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"
C:\Windows\19483196521428\svchost.exe
C:\Windows\19483196521428\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 840
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 88.218.16.27:80 | tcp |
Files
memory/1360-60-0x00000000752B1000-0x00000000752B3000-memory.dmp
memory/1360-61-0x0000000001EF0000-0x0000000001F0D000-memory.dmp
memory/1360-62-0x0000000000400000-0x00000000004EED90-memory.dmp
\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
memory/1476-64-0x0000000000000000-mapping.dmp
C:\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
memory/1476-67-0x0000000000580000-0x000000000059D000-memory.dmp
C:\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
memory/852-70-0x0000000000000000-mapping.dmp
\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
\Windows\19483196521428\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
memory/852-74-0x0000000000350000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 07:01
Reported
2021-05-11 07:04
Platform
win10v20210410
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\1185199458588\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\1185199458588\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\1185199458588\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\1185199458588\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\1185199458588\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zfm.exe | C:\Windows\1185199458588\svchost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zg.exe | C:\Windows\1185199458588\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\1185199458588\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| File opened for modification | C:\Windows\1185199458588 | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
| File created | C:\Windows\1185199458588\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\1185199458588\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | C:\Windows\1185199458588\svchost.exe |
| PID 3152 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | C:\Windows\1185199458588\svchost.exe |
| PID 3152 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe | C:\Windows\1185199458588\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe
"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"
C:\Windows\1185199458588\svchost.exe
C:\Windows\1185199458588\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1388
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 88.218.16.27:80 | tcp |
Files
memory/3152-115-0x0000000000400000-0x00000000004EED90-memory.dmp
memory/3152-114-0x0000000002320000-0x000000000233D000-memory.dmp
memory/3508-116-0x0000000000000000-mapping.dmp
C:\Windows\1185199458588\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
C:\Windows\1185199458588\svchost.exe
| MD5 | 1daca30b2b6c0ef60e02df04e656e990 |
| SHA1 | c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9 |
| SHA256 | 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 |
| SHA512 | 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52 |
memory/3508-119-0x0000000000690000-0x00000000006AD000-memory.dmp