Malware Analysis Report

2024-11-30 15:07

Sample ID 211221-n239bsdcf3
Target 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin
SHA256 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9

Threat Level: Known bad

The file 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex Worm

Phorphiex family

Windows security bypass

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

153s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wudsvsmgr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wudsvsmgr.exe" C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wudsvsmgr.exe C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A
File opened for modification C:\Windows\wudsvsmgr.exe C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe

"C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe"

C:\Windows\wudsvsmgr.exe

C:\Windows\wudsvsmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
SC 185.215.113.48:40555 udp
SC 185.215.113.57:40555 tcp
SC 185.215.113.57:40555 udp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.57:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.57:40555 tcp

Files

memory/1524-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

memory/1656-55-0x0000000000000000-mapping.dmp

C:\Windows\wudsvsmgr.exe

MD5 5bbd9bc7dafd0a6076ed450aa18afc0a
SHA1 3ec5aa4b6185a505c521b07268d19a12455754e5
SHA256 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
SHA512 2d5f87490b90611bc9602c4f36933294f1021b20893275429b2d36b5e2b691d0eb8703579373dc43929902387032f74a51c7a7ec98aff3a3764d13d0bc8bbd3a

C:\Windows\wudsvsmgr.exe

MD5 5bbd9bc7dafd0a6076ed450aa18afc0a
SHA1 3ec5aa4b6185a505c521b07268d19a12455754e5
SHA256 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
SHA512 2d5f87490b90611bc9602c4f36933294f1021b20893275429b2d36b5e2b691d0eb8703579373dc43929902387032f74a51c7a7ec98aff3a3764d13d0bc8bbd3a

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win10-en-20211208

Max time kernel

156s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wudsvsmgr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wudsvsmgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wudsvsmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wudsvsmgr.exe" C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wudsvsmgr.exe C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A
File opened for modification C:\Windows\wudsvsmgr.exe C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe

"C:\Users\Admin\AppData\Local\Temp\8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9.bin.exe"

C:\Windows\wudsvsmgr.exe

C:\Windows\wudsvsmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.57:40555 udp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.48:40555 udp
SC 185.215.113.57:40555 tcp
SC 185.215.113.57:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.57:40555 tcp
SC 185.215.113.57:40555 tcp
SC 185.215.113.48:40555 tcp
SC 185.215.113.57:40555 tcp

Files

memory/1316-118-0x0000000000000000-mapping.dmp

C:\Windows\wudsvsmgr.exe

MD5 5bbd9bc7dafd0a6076ed450aa18afc0a
SHA1 3ec5aa4b6185a505c521b07268d19a12455754e5
SHA256 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
SHA512 2d5f87490b90611bc9602c4f36933294f1021b20893275429b2d36b5e2b691d0eb8703579373dc43929902387032f74a51c7a7ec98aff3a3764d13d0bc8bbd3a

C:\Windows\wudsvsmgr.exe

MD5 5bbd9bc7dafd0a6076ed450aa18afc0a
SHA1 3ec5aa4b6185a505c521b07268d19a12455754e5
SHA256 8f49d7e3596aff4c8cd3aa38d0dc6911ae77e54cc3b13210d95c9f38063317a9
SHA512 2d5f87490b90611bc9602c4f36933294f1021b20893275429b2d36b5e2b691d0eb8703579373dc43929902387032f74a51c7a7ec98aff3a3764d13d0bc8bbd3a