Malware Analysis Report

2024-11-30 15:06

Sample ID 211221-n25gdsebcp
Target cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin
SHA256 cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254
Tags
phorphiex evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254

Threat Level: Known bad

The file cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion persistence trojan

Phorphiex Payload

Phorphiex family

Windows security bypass

Windows security modification

Adds Run key to start application

Drops file in Windows directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

153s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"

Signatures

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\winudsvcs.exe" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winudsvcs.exe" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winudsvcs.exe C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
File created C:\Windows\winudsvcs.exe C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe

"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
RU 45.182.189.233:48755 udp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 udp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp

Files

memory/288-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win10-en-20211208

Max time kernel

159s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"

Signatures

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\winudsvcs.exe" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Users\\Admin\\winudsvcs.exe" C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winudsvcs.exe C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A
File opened for modification C:\Windows\winudsvcs.exe C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe

"C:\Users\Admin\AppData\Local\Temp\cf79b1db1c515944e8076170b8d8c2f72747c99e3c686b85422f8d3fd033b254.bin.exe"

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
US 52.109.12.18:443 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.66:48755 udp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 udp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp
RU 45.182.189.233:48755 tcp
RU 45.182.189.233:48755 tcp
SC 185.215.113.66:48755 tcp

Files

N/A