Malware Analysis Report

2024-11-30 15:37

Sample ID 210512-16scnb6wx6
Target 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.zip
SHA256 5c2e10388549c3dcc510874f71d4ffb13692b1bbdc5fc06a98e0f3f643302239
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c2e10388549c3dcc510874f71d4ffb13692b1bbdc5fc06a98e0f3f643302239

Threat Level: Known bad

The file 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.zip was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Windows security bypass

Phorphiex Worm

Modifies Windows Defender Real-time Protection settings

Phorphiex Payload

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-12 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-12 01:07

Reported

2021-05-12 01:10

Platform

win7v20210408

Max time kernel

113s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\20572149116002\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\20572149116002\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\20572149116002\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\20572149116002\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\20572149116002\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zfm.exe C:\Windows\20572149116002\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zg.exe C:\Windows\20572149116002\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\20572149116002\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\20572149116002 C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File created C:\Windows\20572149116002\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\20572149116002\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\20572149116002\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

C:\Windows\20572149116002\svchost.exe

C:\Windows\20572149116002\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 848

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 tldrbox.top udp
N/A 88.218.16.27:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 88.218.16.27:80 tcp

Files

memory/1824-60-0x0000000075D51000-0x0000000075D53000-memory.dmp

memory/1824-61-0x0000000001EC0000-0x0000000001EDD000-memory.dmp

memory/1824-62-0x0000000000400000-0x00000000004EED90-memory.dmp

\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/1176-64-0x0000000000000000-mapping.dmp

C:\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/1176-67-0x0000000002110000-0x000000000212D000-memory.dmp

C:\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/628-70-0x0000000000000000-mapping.dmp

\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

\Windows\20572149116002\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/628-74-0x0000000000240000-0x00000000002A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-12 01:07

Reported

2021-05-12 01:10

Platform

win10v20210410

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\11874895816198\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\11874895816198\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\11874895816198\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\11874895816198\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Driver = "C:\\Windows\\11874895816198\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zfm.exe C:\Windows\11874895816198\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zg.exe C:\Windows\11874895816198\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\11874895816198\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\11874895816198\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\11874895816198\svchost.exe C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A
File opened for modification C:\Windows\11874895816198 C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\11874895816198\svchost.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe

"C:\Users\Admin\AppData\Local\Temp\0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184.exe"

C:\Windows\11874895816198\svchost.exe

C:\Windows\11874895816198\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1380

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 tldrbox.top udp
N/A 8.8.8.8:53 tldrbox.top udp
N/A 88.218.16.27:80 tcp

Files

memory/1696-115-0x0000000000400000-0x00000000004EED90-memory.dmp

memory/1696-114-0x0000000002EE0000-0x0000000002EFD000-memory.dmp

memory/3464-116-0x0000000000000000-mapping.dmp

C:\Windows\11874895816198\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

C:\Windows\11874895816198\svchost.exe

MD5 1daca30b2b6c0ef60e02df04e656e990
SHA1 c1f6f1e1a27e7be32a3f18440c05951fa7e52eb9
SHA256 0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
SHA512 7f547f46e21ffe3c764050b081621c5df5046be118eb2765e546ce3fa3c3ed7541dbe0dc4deca85c682a1122d78a528614eac6c6684adcfae5e2f215f3651b52

memory/3464-119-0x00000000025D0000-0x00000000025ED000-memory.dmp