Malware Analysis Report

2024-11-30 15:37

Sample ID 210524-nkhk51a6me
Target 92ec0ad5172f3a97d6656b70c111af98.exe
SHA256 5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e31f3d2ad06413f4c3824c6bbe56cf7dffda38cec5bd1b2c0c377718a11297c

Threat Level: Known bad

The file 92ec0ad5172f3a97d6656b70c111af98.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Windows security bypass

Phorphiex Payload

Phorphiex Worm

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-24 17:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-24 17:55

Reported

2021-05-24 17:57

Platform

win7v20210408

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 tcp
N/A 185.215.113.93:80 tcp

Files

memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-24 17:55

Reported

2021-05-24 17:57

Platform

win10v20210410

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe C:\Windows\System32\cmd.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\50781317113831\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\50781317113831\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe" C:\Users\Admin\AppData\Local\Temp\1126038252.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\50781317113831\\smss.exe" C:\Users\Admin\AppData\Local\Temp\1126038252.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe C:\Users\Admin\AppData\Local\Temp\1126038252.exe
PID 2116 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe C:\Users\Admin\AppData\Local\Temp\1126038252.exe
PID 2116 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe C:\Users\Admin\AppData\Local\Temp\1126038252.exe
PID 2968 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1126038252.exe C:\50781317113831\smss.exe
PID 2968 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1126038252.exe C:\50781317113831\smss.exe
PID 2968 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1126038252.exe C:\50781317113831\smss.exe
PID 3464 wrote to memory of 2148 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2648319356.exe
PID 3464 wrote to memory of 2148 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2648319356.exe
PID 3464 wrote to memory of 2148 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2648319356.exe
PID 3464 wrote to memory of 1924 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2345614391.exe
PID 3464 wrote to memory of 1924 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2345614391.exe
PID 3464 wrote to memory of 1924 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\2345614391.exe
PID 1924 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2345614391.exe C:\Users\Admin\AppData\Local\Temp\1290831180.exe
PID 1924 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2345614391.exe C:\Users\Admin\AppData\Local\Temp\1290831180.exe
PID 1924 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2345614391.exe C:\Users\Admin\AppData\Local\Temp\1290831180.exe
PID 4016 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1290831180.exe C:\Windows\System32\cmd.exe
PID 4016 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\1290831180.exe C:\Windows\System32\cmd.exe
PID 3464 wrote to memory of 3768 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\1246011076.exe
PID 3464 wrote to memory of 3768 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\1246011076.exe
PID 3464 wrote to memory of 3768 N/A C:\50781317113831\smss.exe C:\Users\Admin\AppData\Local\Temp\1246011076.exe
PID 3768 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1246011076.exe C:\Users\Admin\AppData\Local\Temp\2746621474.exe
PID 3768 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1246011076.exe C:\Users\Admin\AppData\Local\Temp\2746621474.exe
PID 3768 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1246011076.exe C:\Users\Admin\AppData\Local\Temp\2746621474.exe

Processes

C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe

"C:\Users\Admin\AppData\Local\Temp\92ec0ad5172f3a97d6656b70c111af98.exe"

C:\Users\Admin\AppData\Local\Temp\1126038252.exe

C:\Users\Admin\AppData\Local\Temp\1126038252.exe

C:\50781317113831\smss.exe

C:\50781317113831\smss.exe

C:\Users\Admin\AppData\Local\Temp\2648319356.exe

C:\Users\Admin\AppData\Local\Temp\2648319356.exe

C:\Users\Admin\AppData\Local\Temp\2345614391.exe

C:\Users\Admin\AppData\Local\Temp\2345614391.exe

C:\Users\Admin\AppData\Local\Temp\1290831180.exe

C:\Users\Admin\AppData\Local\Temp\1290831180.exe

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat C:\Users\Admin\AppData\Local\Temp\1290831180.exe"

C:\Users\Admin\AppData\Local\Temp\1246011076.exe

C:\Users\Admin\AppData\Local\Temp\1246011076.exe

C:\Users\Admin\AppData\Local\Temp\2746621474.exe

C:\Users\Admin\AppData\Local\Temp\2746621474.exe

Network

Country Destination Domain Proto
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 130.185.250.214:80 tcp
N/A 127.0.0.1:62409 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 149.56.45.200:9030 149.56.45.200 tcp
N/A 213.32.71.116:9030 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 62.210.177.189:9030 tcp
N/A 95.143.193.125:80 95.143.193.125 tcp
N/A 209.182.239.205:9001 tcp
N/A 185.220.101.204:10204 tcp
N/A 163.172.58.2:443 tcp
N/A 51.158.69.118:443 tcp
N/A 185.220.101.217:30217 tcp
N/A 23.154.177.133:443 tcp
N/A 185.215.113.93:80 185.215.113.93 tcp
N/A 176.10.104.240:443 tcp
N/A 51.15.182.104:9001 tcp
N/A 127.0.0.1:62409 tcp
N/A 149.56.45.200:9030 149.56.45.200 tcp
N/A 8.8.8.8:53 xmrupdtemall.top udp
N/A 127.0.0.1:80 tcp
N/A 37.120.171.188:443 tcp
N/A 185.220.101.209:30209 tcp
N/A 127.0.0.1:62409 tcp
N/A 82.221.131.71:443 tcp
N/A 159.89.174.9:443 tcp
N/A 51.75.65.102:9001 tcp
N/A 127.0.0.1:62409 tcp
N/A 163.172.58.2:443 tcp
N/A 185.220.101.204:10204 tcp
N/A 51.158.69.118:443 tcp
N/A 185.220.101.217:30217 tcp
N/A 23.154.177.133:443 tcp
N/A 51.15.182.104:9001 tcp
N/A 127.0.0.1:62409 tcp
N/A 45.66.156.176:8443 tcp

Files

memory/2968-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1126038252.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

C:\Users\Admin\AppData\Local\Temp\1126038252.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

memory/3464-117-0x0000000000000000-mapping.dmp

C:\50781317113831\smss.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

C:\50781317113831\smss.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

memory/2148-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2648319356.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

C:\Users\Admin\AppData\Local\Temp\2648319356.exe

MD5 e28889b5f98d8ed1a00835e1ca8a3b21
SHA1 b665e89468ac7ae566aa996aeec203b25bf24b0c
SHA256 0429bed4098d95e68e4686ed79cb3967e7396956a095433dd56f4e3d49135d73
SHA512 d3f1708274dd84045c46c3315aeba5c16f890d94ddfcda0df29e96bc3a0159ead0f8945898d6dde25ad01981e385a41b69b1bdfd700e08f47249bffece941cbd

memory/1924-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2345614391.exe

MD5 f3318b4b120c21a6e415153315aef2fb
SHA1 23c6433cf48eb7361b227cf973ec0c977e868ffa
SHA256 069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21
SHA512 227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7

C:\Users\Admin\AppData\Local\Temp\2345614391.exe

MD5 f3318b4b120c21a6e415153315aef2fb
SHA1 23c6433cf48eb7361b227cf973ec0c977e868ffa
SHA256 069f4598f042e0eee51a9078ba2b08d42f198bb67f144dc898f42b76de136c21
SHA512 227e2661081fbf30b9c7f1a7c3f045741cb3f1678a7f459aded92a590d5b7f2a6596d3e2f0e97d3ce70de6eb3fae451278a69249871ea2fd451a06b2ac6fc3e7

memory/4016-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1290831180.exe

MD5 d84e11ca2e8970c1b6d1066d5aea11c5
SHA1 36e763db197c2b41e9201fd6603e9f0c9628d429
SHA256 73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518
SHA512 7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee

C:\Users\Admin\AppData\Local\Temp\1290831180.exe

MD5 d84e11ca2e8970c1b6d1066d5aea11c5
SHA1 36e763db197c2b41e9201fd6603e9f0c9628d429
SHA256 73dee9efe42b12582befda0154650efb83f6d33e6d6b69acf00b1d9b4ce3b518
SHA512 7132ba84a67a6991890e71e4069392c0b2b12d6e3ccedf8f8017c0a92928849e8ff4d6ca94b350c4605e1f56d839f067c73c37ba08305f6a57b737b0956fc8ee

memory/4012-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\40DD.tmp\40DE.tmp\40DF.bat

MD5 a317b9bdc3a5e70f5e7964be46b9557d
SHA1 69421493be0fb5e61b498d8c331d0de7d978f886
SHA256 582da2e1c3d3fe2dc565e5fdf109f21ba9bbf8fea5b28a7d8ba98412043f4178
SHA512 c2f3b768b9df2e934f22a73a97c6a4cd062b092175c115dd9f4fa7f8ec8cfff4289286cac88ac62585424f328b2cea3c08decf587345b16bcdcb2ce7deb1fa39

C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Defender.exe

MD5 150430cc02f3708fdd8bd79418a8985a
SHA1 ac471b51146c411c9697763dbd0ae9ef919397d9
SHA256 e02d9b5ece07693c4863747dddd58761dfebb2ef729deec937142ad97eabb474
SHA512 d1b972fd2da1ea1fee05657ce63466764c84e135d3c97463f4f1acb164a2ef306ae857b02f9f10628551b0bf29b8ae4715f0d6fa045531ce6189d80218f4d35f

C:\Users\Admin\AppData\Local\Temp\40DD.tmp\Process.exe

MD5 d65359ec05a8c4054b14768f4a04676f
SHA1 fc149a785aa8058d626610f5e0add97f4ccb4e91
SHA256 2bb15c50b0b33b900ee8a826fea73017d05f8cb562fb4027b6f1701e49fad73e
SHA512 c50be8d45cc771495057d08b836fc95cbf803c76ed58561b9b958e278c092cc74f387524176fa0d3f21e98904d8da44125e8b9df7db59d239abd3df9d8e667a8

memory/3768-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1246011076.exe

MD5 94bfc6c684e0143e3543c5a3a0af7ccc
SHA1 ac3d8970df78ddf6b299e53e24b14fab9a512673
SHA256 dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801
SHA512 b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9

C:\Users\Admin\AppData\Local\Temp\1246011076.exe

MD5 94bfc6c684e0143e3543c5a3a0af7ccc
SHA1 ac3d8970df78ddf6b299e53e24b14fab9a512673
SHA256 dbd84d9bb51ac5a97476f14c91df0be135c6ada8cb49ef3e70bc8ad0fc013801
SHA512 b75981d5cb4f8096b5109a0e8eae30141f3c0f598f1a621b2915647c0b04573e6943c979b27dd2723d02e4cdcb19933a3de47e7f8e7c72eb0608ff7b31c481c9

memory/2704-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2746621474.exe

MD5 b1e29e528a7510be3c04dcff622f63ab
SHA1 ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a
SHA256 a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13
SHA512 e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040

C:\Users\Admin\AppData\Local\Temp\2746621474.exe

MD5 b1e29e528a7510be3c04dcff622f63ab
SHA1 ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a
SHA256 a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13
SHA512 e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040