Malware Analysis Report

2024-11-30 15:06

Sample ID 211221-n23b2adcf2
Target 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin
SHA256 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506

Threat Level: Known bad

The file 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Worm

Windows security bypass

Phorphiex Payload

Phorphiex family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

157s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wedrvcsvc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wedrvcsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wedrvcsvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wedrvcsvc.exe" C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wedrvcsvc.exe C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe N/A
File opened for modification C:\Windows\wedrvcsvc.exe C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe

"C:\Users\Admin\AppData\Local\Temp\7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506.bin.exe"

C:\Windows\wedrvcsvc.exe

C:\Windows\wedrvcsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 tcp
IR 46.225.113.73:40555 udp
IR 31.57.14.89:40555 tcp
IR 2.183.160.186:40555 udp
CN 42.248.182.188:40555 udp
IR 188.159.38.72:40555 udp
SC 185.215.113.84:80 tcp
MX 187.157.142.194:40555 udp
CN 42.248.182.19:40555 udp
IR 109.110.182.177:40555 tcp
CN 42.248.182.151:40555 udp
IR 31.58.25.211:40555 udp
YE 134.35.120.179:40555 udp
SC 185.215.113.84:80 tcp
MY 115.132.27.134:40555 udp
IR 77.237.177.92:40555 udp
IR 80.210.39.46:40555 tcp
IR 91.185.143.225:40555 udp
IR 37.255.183.75:40555 udp
SC 185.215.113.84:80 tcp
RU 188.234.8.175:40555 udp
UZ 89.236.226.162:40555 udp
CN 42.248.182.158:40555 udp
CN 42.248.183.113:40555 tcp
KZ 147.30.18.211:40555 udp
SC 185.215.113.84:80 tcp
PK 39.57.16.134:40555 udp
UZ 87.237.233.213:40555 udp
IR 5.235.64.192:40555 udp
IR 151.234.129.83:40555 udp
SC 185.215.113.84:80 tcp
UZ 213.230.90.43:40555 tcp
IR 46.225.210.16:40555 udp
IR 79.127.101.234:40555 udp
UZ 217.30.162.43:40555 udp
CN 42.248.183.18:40555 udp
SC 185.215.113.84:80 tcp
IR 46.224.182.0:40555 udp
CN 42.248.182.240:40555 tcp
MX 189.154.11.15:40555 udp
KZ 178.90.204.204:40555 udp

Files

memory/1448-54-0x0000000076421000-0x0000000076423000-memory.dmp

memory/1452-55-0x0000000000000000-mapping.dmp

C:\Windows\wedrvcsvc.exe

MD5 9857fb8f7630b354f482c3f6c65a3083
SHA1 5486dc80ae1073645626f197677c1eedf4329c1f
SHA256 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506
SHA512 c1f001548869d4f02f01141d228121c4b32d1cec133b4d7fc51fb23171bda3c437a011511b2c0d1ace43814de4b359487b85783ff76b4155e57b324ef08b2fc9

C:\Windows\wedrvcsvc.exe

MD5 9857fb8f7630b354f482c3f6c65a3083
SHA1 5486dc80ae1073645626f197677c1eedf4329c1f
SHA256 7356a7c98588b980302a5f2340b56f75a13bdac613f7c22b62eeb4590896e506
SHA512 c1f001548869d4f02f01141d228121c4b32d1cec133b4d7fc51fb23171bda3c437a011511b2c0d1ace43814de4b359487b85783ff76b4155e57b324ef08b2fc9

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:55

Platform

win10-en-20211208

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A