Malware Analysis Report

2024-11-30 15:06

Sample ID 211221-n22qhadce9
Target 63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin
SHA256 63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3
Tags
phorphiex evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3

Threat Level: Known bad

The file 63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion persistence trojan

Phorphiex Payload

Phorphiex family

Windows security bypass

Windows security modification

Adds Run key to start application

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe"

Signatures

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winusvcs.exe" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe

"C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
SC 185.215.113.66:48755 udp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win10-en-20211208

Max time kernel

166s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe"

Signatures

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winusvcs.exe" C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe

"C:\Users\Admin\AppData\Local\Temp\63455c30d70fc9c2f3150dc8426fd1ea30884b12b4d5a74ba126698c680d7ee3.bin.exe"

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.66:48755 udp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp
SC 185.215.113.66:48755 tcp

Files

N/A