Malware Analysis Report

2024-11-30 15:06

Sample ID 211001-tza3nacdfk
Target f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
Tags
phorphiex evasion loader persistence trojan worm suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241

Threat Level: Known bad

The file f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm suricata

Phorphiex Payload

suricata: ET MALWARE APT-C-23 Activity (GET)

Phorphiex family

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-01 16:29

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-01 16:29

Reported

2021-10-01 16:34

Platform

win7v20210408

Max time kernel

304s

Max time network

332s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\16338282331159\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1028510743.exe N/A
N/A N/A C:\Windows\wsecsvcmgr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\16338282331159\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\16338282331159\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\16338282331159\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\16338282331159\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wsecsvcmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" C:\Users\Admin\AppData\Local\Temp\1028510743.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wsecsvcmgr.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe N/A
File opened for modification C:\Windows\wsecsvcmgr.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe C:\16338282331159\svchost.exe
PID 1652 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe C:\16338282331159\svchost.exe
PID 1652 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe C:\16338282331159\svchost.exe
PID 1652 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe C:\16338282331159\svchost.exe
PID 1752 wrote to memory of 564 N/A C:\16338282331159\svchost.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe
PID 1752 wrote to memory of 564 N/A C:\16338282331159\svchost.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe
PID 1752 wrote to memory of 564 N/A C:\16338282331159\svchost.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe
PID 1752 wrote to memory of 564 N/A C:\16338282331159\svchost.exe C:\Users\Admin\AppData\Local\Temp\1028510743.exe
PID 564 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1028510743.exe C:\Windows\wsecsvcmgr.exe
PID 564 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1028510743.exe C:\Windows\wsecsvcmgr.exe
PID 564 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1028510743.exe C:\Windows\wsecsvcmgr.exe
PID 564 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1028510743.exe C:\Windows\wsecsvcmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe

"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"

C:\16338282331159\svchost.exe

C:\16338282331159\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1028510743.exe

C:\Users\Admin\AppData\Local\Temp\1028510743.exe

C:\Windows\wsecsvcmgr.exe

C:\Windows\wsecsvcmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.wipmania.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 trik.ws udp
US 8.8.8.8:53 trikhaus.top udp
SC 185.215.113.84:80 trikhaus.top tcp
SC 185.215.113.84:80 trikhaus.top tcp
US 8.8.8.8:53 seuufhehfueugheu.ws udp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 8.8.8.8:53 feuhdeuhduhuehdu.ws udp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 8.8.8.8:53 feauhueudughuuru.ws udp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 8.8.8.8:53 fheuhdwdzwgzdggu.ws udp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
CN 42.248.182.80:40555 tcp
KZ 176.98.240.194:40555 udp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 8.8.8.8:53 faugzeazdezgzgfu.ws udp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 8.8.8.8:53 wduufbaueeubffgu.ws udp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
YE 134.35.45.237:40555 udp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 8.8.8.8:53 okdoekeoehghaoeu.ws udp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 8.8.8.8:53 efuheruhdehduhgu.ws udp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
PK 39.60.43.90:40555 udp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 8.8.8.8:53 eafueudzefverrgu.ws udp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 8.8.8.8:53 deauduafzgezzfgu.ws udp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
UZ 217.30.167.173:40555 udp
US 8.8.8.8:53 gaueudbuwdbuguuu.ws udp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 8.8.8.8:53 efeuafubeubaefuu.ws udp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 8.8.8.8:53 eafuebdbedbedggu.ws udp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
MX 189.244.230.86:40555 udp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 8.8.8.8:53 wdkowdohwodhfhfu.ws udp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 8.8.8.8:53 efaeduvedvzfufuu.ws udp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
IR 93.118.111.44:40555 udp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 8.8.8.8:53 edhuaudhuedugufu.ws udp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
CN 42.248.182.142:40555 tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 8.8.8.8:53 eaffuebudbeudbbu.ws udp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 8.8.8.8:53 seuufhehfueugheb.to udp
IR 94.183.5.63:40555 udp
US 8.8.8.8:53 feuhdeuhduhuehdb.to udp
US 8.8.8.8:53 feauhueudughuurb.to udp
US 8.8.8.8:53 fheuhdwdzwgzdggb.to udp
US 8.8.8.8:53 faugzeazdezgzgfb.to udp
US 8.8.8.8:53 wduufbaueeubffgb.to udp
US 8.8.8.8:53 okdoekeoehghaoeb.to udp
US 8.8.8.8:53 efuheruhdehduhgb.to udp
IR 2.176.166.168:40555 udp
US 8.8.8.8:53 eafueudzefverrgb.to udp
US 8.8.8.8:53 deauduafzgezzfgb.to udp
US 8.8.8.8:53 gaueudbuwdbuguub.to udp
US 8.8.8.8:53 efeuafubeubaefub.to udp
US 8.8.8.8:53 eafuebdbedbedggb.to udp
US 8.8.8.8:53 wdkowdohwodhfhfb.to udp
US 8.8.8.8:53 efaeduvedvzfufub.to udp
US 8.8.8.8:53 edhuaudhuedugufb.to udp
IN 103.84.129.166:40555 udp
US 8.8.8.8:53 eaffuebudbeudbbb.to udp
US 8.8.8.8:53 seuufhehfueugheh.top udp
US 8.8.8.8:53 feuhdeuhduhuehdh.top udp
US 8.8.8.8:53 feauhueudughuurh.top udp
US 8.8.8.8:53 fheuhdwdzwgzdggh.top udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
AM 46.70.75.105:40555 udp
IR 5.235.64.192:40555 udp
IR 151.238.32.104:40555 tcp
CN 42.248.182.230:40555 udp
UZ 213.230.121.128:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.145:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 89.36.226.191:40555 udp
UZ 92.246.78.62:40555 udp
UZ 62.209.149.46:40555 tcp
CN 42.248.183.134:40555 udp
IR 185.227.66.241:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.182.95:40555 udp
IR 78.39.236.195:40555 udp
TH 184.22.76.48:40555 tcp
TZ 41.59.39.123:40555 udp
CN 42.248.182.112:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.17:40555 udp
IR 217.77.127.138:40555 udp
CN 42.248.182.29:40555 tcp
IR 31.57.14.89:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 79.127.101.234:40555 udp
UZ 213.230.69.229:40555 udp
IR 37.255.84.218:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 2.183.160.186:40555 udp
CN 42.248.182.228:40555 udp
RU 94.180.63.120:40555 tcp
IR 2.178.208.211:40555 udp
UZ 217.30.173.106:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 93.118.122.225:40555 udp
IR 151.235.51.140:40555 udp
IR 46.225.113.73:40555 udp
CN 42.248.183.72:40555 tcp
YE 89.189.95.52:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.247:40555 udp
TZ 41.59.203.60:40555 udp
IR 2.184.139.149:40555 udp
IR 151.232.202.182:40555 udp
CN 42.248.182.90:40555 tcp
IR 151.242.250.83:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
UZ 217.30.163.39:40555 udp
IR 151.244.197.160:40555 udp
IR 37.255.99.93:40555 udp
CN 42.248.183.37:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 188.253.103.108:40555 tcp
AF 149.54.20.134:40555 udp
UZ 185.248.44.67:40555 udp
RU 37.20.21.113:40555 udp

Files

memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp

\16338282331159\svchost.exe

MD5 4ece4d073b759e00584078490e1424f8
SHA1 a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA512 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

memory/1752-62-0x0000000000000000-mapping.dmp

C:\16338282331159\svchost.exe

MD5 4ece4d073b759e00584078490e1424f8
SHA1 a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA512 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

C:\16338282331159\svchost.exe

MD5 4ece4d073b759e00584078490e1424f8
SHA1 a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA512 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

\Users\Admin\AppData\Local\Temp\1028510743.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

\Users\Admin\AppData\Local\Temp\1028510743.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

C:\Users\Admin\AppData\Local\Temp\1028510743.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

memory/564-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1028510743.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

memory/568-72-0x0000000000000000-mapping.dmp

C:\Windows\wsecsvcmgr.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

C:\Windows\wsecsvcmgr.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-01 16:29

Reported

2021-10-01 16:34

Platform

win10-en-20210920

Max time kernel

300s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

suricata: ET MALWARE APT-C-23 Activity (GET)

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\131019982546\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1681017508.exe N/A
N/A N/A C:\Windows\wsecsvcmgr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\131019982546\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\131019982546\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\131019982546\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wsecsvcmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\131019982546\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" C:\Users\Admin\AppData\Local\Temp\1681017508.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wsecsvcmgr.exe C:\Users\Admin\AppData\Local\Temp\1681017508.exe N/A
File opened for modification C:\Windows\wsecsvcmgr.exe C:\Users\Admin\AppData\Local\Temp\1681017508.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe

"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"

C:\131019982546\svchost.exe

C:\131019982546\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1681017508.exe

C:\Users\Admin\AppData\Local\Temp\1681017508.exe

C:\Windows\wsecsvcmgr.exe

C:\Windows\wsecsvcmgr.exe

Network

Country Destination Domain Proto
RU 194.190.18.122:443 tcp
US 8.8.8.8:53 api.wipmania.com udp
US 54.243.29.214:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 trik.ws udp
US 8.8.8.8:53 trikhaus.top udp
SC 185.215.113.84:80 trikhaus.top tcp
SC 185.215.113.84:80 trikhaus.top tcp
US 8.8.8.8:53 seuufhehfueugheu.ws udp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 64.70.19.203:80 seuufhehfueugheu.ws tcp
US 8.8.8.8:53 feuhdeuhduhuehdu.ws udp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
US 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
US 8.8.8.8:53 feauhueudughuuru.ws udp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
US 64.70.19.203:80 feauhueudughuuru.ws tcp
CN 42.248.183.155:40555 udp
SC 185.215.113.57:40555 tcp
US 8.8.8.8:53 fheuhdwdzwgzdggu.ws udp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
US 8.8.8.8:53 faugzeazdezgzgfu.ws udp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
US 8.8.8.8:53 wduufbaueeubffgu.ws udp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
IR 91.92.189.39:40555 udp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
IE 52.109.76.31:443 tcp
US 64.70.19.203:80 wduufbaueeubffgu.ws tcp
US 8.8.8.8:53 okdoekeoehghaoeu.ws udp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
US 8.8.8.8:53 efuheruhdehduhgu.ws udp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
YE 110.238.63.191:40555 udp
US 64.70.19.203:80 efuheruhdehduhgu.ws tcp
US 8.8.8.8:53 eafueudzefverrgu.ws udp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 64.70.19.203:80 eafueudzefverrgu.ws tcp
US 8.8.8.8:53 deauduafzgezzfgu.ws udp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 64.70.19.203:80 deauduafzgezzfgu.ws tcp
US 8.8.8.8:53 gaueudbuwdbuguuu.ws udp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
IR 37.255.240.128:40555 udp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
US 8.8.8.8:53 efeuafubeubaefuu.ws udp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 64.70.19.203:80 efeuafubeubaefuu.ws tcp
US 8.8.8.8:53 eafuebdbedbedggu.ws udp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
YE 134.35.15.160:40555 udp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 64.70.19.203:80 eafuebdbedbedggu.ws tcp
US 8.8.8.8:53 wdkowdohwodhfhfu.ws udp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
US 8.8.8.8:53 efaeduvedvzfufuu.ws udp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
US 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
MX 187.157.142.194:40555 udp
US 8.8.8.8:53 edhuaudhuedugufu.ws udp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
IR 151.239.133.138:40555 tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 64.70.19.203:80 edhuaudhuedugufu.ws tcp
US 8.8.8.8:53 eaffuebudbeudbbu.ws udp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
US 8.8.8.8:53 seuufhehfueugheb.to udp
VE 186.94.96.58:40555 udp
US 8.8.8.8:53 feuhdeuhduhuehdb.to udp
US 8.8.8.8:53 feauhueudughuurb.to udp
US 8.8.8.8:53 fheuhdwdzwgzdggb.to udp
US 8.8.8.8:53 faugzeazdezgzgfb.to udp
US 8.8.8.8:53 wduufbaueeubffgb.to udp
US 8.8.8.8:53 okdoekeoehghaoeb.to udp
US 8.8.8.8:53 efuheruhdehduhgb.to udp
US 8.8.8.8:53 eafueudzefverrgb.to udp
IR 46.245.56.183:40555 udp
US 8.8.8.8:53 deauduafzgezzfgb.to udp
US 8.8.8.8:53 gaueudbuwdbuguub.to udp
US 8.8.8.8:53 efeuafubeubaefub.to udp
US 8.8.8.8:53 eafuebdbedbedggb.to udp
US 8.8.8.8:53 wdkowdohwodhfhfb.to udp
US 8.8.8.8:53 efaeduvedvzfufub.to udp
US 8.8.8.8:53 edhuaudhuedugufb.to udp
MZ 197.249.5.69:40555 udp
US 8.8.8.8:53 eaffuebudbeudbbb.to udp
US 8.8.8.8:53 seuufhehfueugheh.top udp
US 8.8.8.8:53 feuhdeuhduhuehdh.top udp
US 8.8.8.8:53 feauhueudughuurh.top udp
US 8.8.8.8:53 fheuhdwdzwgzdggh.top udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.182.143:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.37:40555 udp
CN 42.248.183.162:40555 tcp
IR 46.225.105.140:40555 udp
UZ 217.30.162.43:40555 udp
CN 175.167.31.204:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.182.80:40555 udp
UZ 217.30.167.173:40555 udp
IR 2.178.208.211:40555 tcp
CN 175.147.2.244:40555 udp
IR 37.255.228.142:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.251:40555 udp
CN 42.248.183.19:40555 udp
CN 42.248.183.76:40555 tcp
IR 5.237.55.254:40555 udp
IR 89.165.23.166:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
UZ 213.230.69.229:40555 udp
CN 42.248.182.234:40555 udp
UZ 87.237.236.124:40555 udp
CN 42.248.183.218:40555 tcp
IR 31.59.189.4:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 78.38.19.56:40555 udp
IR 2.182.251.232:40555 udp
UZ 217.30.162.138:40555 udp
RU 95.179.30.13:40555 udp
UZ 213.230.120.120:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 151.238.32.104:40555 tcp
CN 42.248.182.40:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
RU 77.34.211.83:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 31.57.14.89:40555 udp
RU 5.227.250.248:40555 udp
IR 188.159.38.72:40555 udp
CN 42.248.182.182:40555 tcp
YE 78.137.64.114:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
UZ 213.230.111.163:40555 tcp
CN 42.248.183.131:40555 udp
MX 187.227.202.111:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.182.67:40555 udp
N/A 100.88.4.227:40555 udp
IR 37.255.205.167:40555 tcp
IR 78.38.107.89:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.215:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
YE 5.255.16.207:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
CN 42.248.183.55:40555 udp
CN 42.248.182.2:40555 udp
IR 2.186.162.125:40555 udp
IR 5.219.245.43:40555 tcp
CN 42.248.183.44:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
IR 2.191.40.101:40555 udp
IR 89.165.122.50:40555 udp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp
BE 35.205.61.67:80 fheuhdwdzwgzdggh.top tcp

Files

memory/4300-115-0x0000000000000000-mapping.dmp

C:\131019982546\svchost.exe

MD5 4ece4d073b759e00584078490e1424f8
SHA1 a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA512 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

C:\131019982546\svchost.exe

MD5 4ece4d073b759e00584078490e1424f8
SHA1 a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc
SHA256 f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
SHA512 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654

memory/4292-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1681017508.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

C:\Users\Admin\AppData\Local\Temp\1681017508.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

memory/4012-121-0x0000000000000000-mapping.dmp

C:\Windows\wsecsvcmgr.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c

C:\Windows\wsecsvcmgr.exe

MD5 c532ac418f3e867907c2757a7ca56a53
SHA1 0583af526b3825a570237c0d954c445fb30948d3
SHA256 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
SHA512 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c