Malware Analysis Report

2024-11-30 15:06

Sample ID 210524-bclpja7xbe
Target 92ec0ad5172f3a97d6656b70c111af98.exe
SHA256 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

Threat Level: Known bad

The file 92ec0ad5172f3a97d6656b70c111af98.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex Worm

Windows security bypass

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-24 18:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-24 18:08

Reported

2021-05-24 18:11

Platform

win7v20210408

Max time kernel

137s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 tcp

Files

memory/1120-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-24 18:08

Reported

2021-05-24 18:10

Platform

win10v20210410

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3478027055.exe N/A
N/A N/A C:\13185753226332\smss.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\13185753226332\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\13185753226332\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" C:\Users\Admin\AppData\Local\Temp\3478027055.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13185753226332\\smss.exe" C:\Users\Admin\AppData\Local\Temp\3478027055.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

C:\Users\Admin\AppData\Local\Temp\3478027055.exe

C:\Users\Admin\AppData\Local\Temp\3478027055.exe

C:\13185753226332\smss.exe

C:\13185753226332\smss.exe

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 23.129.64.201:80 23.129.64.201 tcp
N/A 127.0.0.1:62639 tcp

Files

memory/4008-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3478027055.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

C:\Users\Admin\AppData\Local\Temp\3478027055.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

memory/2268-117-0x0000000000000000-mapping.dmp

C:\13185753226332\smss.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

C:\13185753226332\smss.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd