Malware Analysis Report

2024-11-30 15:36

Sample ID 210511-ed45lve7ke
Target 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184

Threat Level: Known bad

The file 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Worm

Modifies Windows Defender Real-time Protection settings

Phorphiex Payload

Windows security bypass

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 07:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 07:01

Reported

2021-05-11 07:04

Platform

win7v20210410

Max time kernel

138s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\19483196521428\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\19483196521428\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\19483196521428\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\19483196521428\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\19483196521428\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zfm.exe C:\Windows\19483196521428\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zg.exe C:\Windows\19483196521428\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\19483196521428\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\19483196521428\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\19483196521428 C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\19483196521428\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

C:\Windows\19483196521428\svchost.exe

C:\Windows\19483196521428\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 840

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 tldrbox.top udp
N/A 88.218.16.27:80 tcp

Files

memory/1360-60-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1360-61-0x0000000001EF0000-0x0000000001F0D000-memory.dmp

memory/1360-62-0x0000000000400000-0x00000000004EED90-memory.dmp

\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/1476-64-0x0000000000000000-mapping.dmp

C:\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/1476-67-0x0000000000580000-0x000000000059D000-memory.dmp

C:\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/852-70-0x0000000000000000-mapping.dmp

\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

\Windows\19483196521428\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/852-74-0x0000000000350000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 07:01

Reported

2021-05-11 07:04

Platform

win10v20210410

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\1185199458588\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\1185199458588\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\1185199458588\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\1185199458588\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\1185199458588\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\1185199458588\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zfm.exe C:\Windows\1185199458588\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zg.exe C:\Windows\1185199458588\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\1185199458588\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\1185199458588 C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File created C:\Windows\1185199458588\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\1185199458588\svchost.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

C:\Windows\1185199458588\svchost.exe

C:\Windows\1185199458588\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1388

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 tldrbox.top udp
N/A 8.8.8.8:53 tldrbox.top udp
N/A 88.218.16.27:80 tcp

Files

memory/3152-115-0x0000000000400000-0x00000000004EED90-memory.dmp

memory/3152-114-0x0000000002320000-0x000000000233D000-memory.dmp

memory/3508-116-0x0000000000000000-mapping.dmp

C:\Windows\1185199458588\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

C:\Windows\1185199458588\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/3508-119-0x0000000000690000-0x00000000006AD000-memory.dmp