Malware Analysis Report

2024-11-30 15:08

Sample ID 211221-n23mssebck
Target 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin
SHA256 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e

Threat Level: Known bad

The file 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex family

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wapmsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wapmsvcr.exe" C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wapmsvcr.exe C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A
File opened for modification C:\Windows\wapmsvcr.exe C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe

"C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"

C:\Windows\wapmsvcr.exe

C:\Windows\wapmsvcr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 tcp
CN 42.248.183.55:40555 tcp
CN 175.147.2.244:40555 udp
IR 5.219.245.43:40555 udp
UZ 217.30.163.6:40555 udp
IR 188.253.34.178:40555 udp
SC 185.215.113.84:80 tcp
IR 2.178.208.211:40555 udp
IR 2.190.144.193:40555 udp
IR 91.92.221.229:40555 tcp
IR 37.255.228.142:40555 udp
IR 195.181.27.236:40555 udp
IR 91.185.143.225:40555 udp
SC 185.215.113.84:80 tcp
IR 77.42.55.38:40555 udp
IR 2.176.166.168:40555 udp
IR 151.234.111.115:40555 tcp
IR 46.225.206.4:40555 udp
UZ 85.202.193.59:40555 udp
SC 185.215.113.84:80 tcp
IR 176.65.237.114:40555 udp
UZ 217.30.163.39:40555 udp
YE 134.35.65.162:40555 udp
IR 46.225.183.144:40555 tcp
IR 188.159.95.253:40555 udp
SC 185.215.113.84:80 tcp
UZ 217.30.162.138:40555 udp
UZ 213.230.110.223:40555 udp
IR 217.77.127.138:40555 udp
CN 42.248.183.111:40555 tcp
IR 217.219.230.200:40555 udp
SC 185.215.113.84:80 tcp
IR 188.253.19.87:40555 udp
IR 94.183.31.150:40555 udp
CN 42.248.183.155:40555 udp
CN 42.248.183.174:40555 udp
SC 185.215.113.84:80 tcp
YE 78.137.86.119:40555 udp
IR 46.224.180.246:40555 tcp
SY 77.44.166.199:40555 udp

Files

memory/1588-54-0x0000000075191000-0x0000000075193000-memory.dmp

memory/1668-55-0x0000000000000000-mapping.dmp

C:\Windows\wapmsvcr.exe

MD5 9fa3010c557db8477aec95587748dc82
SHA1 10ffea2306659a4c021bf55a842afa2fd69761be
SHA256 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA512 77c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2

C:\Windows\wapmsvcr.exe

MD5 9fa3010c557db8477aec95587748dc82
SHA1 10ffea2306659a4c021bf55a842afa2fd69761be
SHA256 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA512 77c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win10-en-20211208

Max time kernel

160s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wapmsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wapmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wapmsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wapmsvcr.exe" C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wapmsvcr.exe C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A
File opened for modification C:\Windows\wapmsvcr.exe C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe

"C:\Users\Admin\AppData\Local\Temp\7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e.bin.exe"

C:\Windows\wapmsvcr.exe

C:\Windows\wapmsvcr.exe

Network

Country Destination Domain Proto
NL 52.109.88.36:443 tcp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 time.windows.com udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 tcp
SC 185.215.113.84:80 tcp
RU 2.61.176.216:40555 udp
IR 2.187.165.71:40555 tcp
CN 42.248.182.125:40555 udp
IR 2.182.160.134:40555 udp
IR 81.31.245.213:40555 udp
CN 42.248.183.129:40555 udp
SC 185.215.113.84:80 tcp
BO 200.105.220.202:40555 udp
VE 186.92.234.174:40555 tcp
IR 2.189.240.61:40555 udp
IR 188.158.148.183:40555 udp
IR 46.225.105.140:40555 udp
SC 185.215.113.84:80 185.215.113.84 tcp
MX 187.156.53.199:40555 udp
VE 186.92.234.174:40555 udp
RU 94.180.135.86:40555 tcp
IR 79.127.101.234:40555 udp
IR 217.219.197.194:40555 udp
IR 46.224.180.246:40555 udp
RU 95.179.30.13:40555 udp
IR 5.232.28.65:40555 udp
SC 185.215.113.84:80 tcp
IR 89.165.122.50:40555 tcp
CN 42.248.183.78:40555 udp
IR 2.186.162.125:40555 udp
IR 2.183.159.25:40555 udp
TJ 95.142.83.194:40555 udp
SC 185.215.113.84:80 tcp
IR 37.254.153.121:40555 udp
CN 42.248.183.103:40555 tcp
CN 42.248.183.37:40555 udp
IR 5.34.223.184:40555 udp
UA 178.54.141.104:40555 udp

Files

memory/3116-115-0x0000000000000000-mapping.dmp

C:\Windows\wapmsvcr.exe

MD5 9fa3010c557db8477aec95587748dc82
SHA1 10ffea2306659a4c021bf55a842afa2fd69761be
SHA256 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA512 77c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2

C:\Windows\wapmsvcr.exe

MD5 9fa3010c557db8477aec95587748dc82
SHA1 10ffea2306659a4c021bf55a842afa2fd69761be
SHA256 7d72f66070b144fdd4d0fcbe39c732d1943b5836c8da1d469da876c27775808e
SHA512 77c6f7e9bfb3e15ebd1bc58cf6b206477d6e44128083a36ea051fb232f8008b31c4807b509ba6918da2af006dc472763caf12d8e128f221c040925ab1732b7f2