Malware Analysis Report

2024-11-30 15:06

Sample ID 211221-n25r6aebcq
Target f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin
SHA256 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc

Threat Level: Known bad

The file f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex Payload

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win10-en-20211208

Max time kernel

158s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wcvpsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wcvpsvcr.exe" C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wcvpsvcr.exe C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A
File opened for modification C:\Windows\wcvpsvcr.exe C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe

"C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe"

C:\Windows\wcvpsvcr.exe

C:\Windows\wcvpsvcr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 tcp
UZ 85.202.193.59:40555 udp
IR 151.235.42.161:40555 tcp
UZ 213.230.107.81:40555 udp
CN 42.248.182.75:40555 udp
NG 196.223.122.198:40555 udp
CN 42.248.182.125:40555 udp
SC 185.215.113.84:80 tcp
RU 213.228.96.185:40555 udp
CN 42.248.182.163:40555 tcp
IR 195.181.27.236:40555 udp
US 8.8.8.8:53 time.windows.com udp
CN 42.248.183.145:40555 udp
NL 20.101.57.9:123 time.windows.com udp
IR 91.99.79.20:40555 udp
SC 185.215.113.84:80 tcp
IR 37.255.183.75:40555 udp
IR 46.245.56.183:40555 udp
YE 134.35.65.162:40555 tcp
IR 78.39.101.78:40555 udp
CN 42.248.183.250:40555 udp
IR 2.178.244.179:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.35:40555 udp
MZ 197.249.5.69:40555 udp
IR 2.191.40.101:40555 tcp
IR 91.185.143.225:40555 udp
IR 2.185.243.130:40555 udp
SC 185.215.113.84:80 tcp
IN 123.252.183.144:40555 udp
UZ 87.237.233.213:40555 udp
EG 197.50.16.32:40555 udp
CN 42.248.183.114:40555 tcp
YE 31.31.185.89:40555 udp
SC 185.215.113.84:80 tcp
IR 78.154.58.250:40555 udp
CN 42.248.182.182:40555 udp
IR 2.178.208.211:40555 udp
IR 188.159.228.174:40555 udp
IR 80.191.20.20:40555 tcp
IN 117.201.172.163:40555 udp
CN 42.248.182.112:40555 udp

Files

C:\Windows\wcvpsvcr.exe

MD5 ec96bcc50ca8fa91821e820fdfe30915
SHA1 f1a542683b90038b6619df44dc3cd8e30ad93f5d
SHA256 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
SHA512 572785bd3dfa297c1b03be308bd8460ada2bdf888f7ea9bb483203c41169b07a9d64ca522f70fd2627c4a9022e6bbb635b398e594b02e0a704956384d9597b9a

C:\Windows\wcvpsvcr.exe

MD5 ec96bcc50ca8fa91821e820fdfe30915
SHA1 f1a542683b90038b6619df44dc3cd8e30ad93f5d
SHA256 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
SHA512 572785bd3dfa297c1b03be308bd8460ada2bdf888f7ea9bb483203c41169b07a9d64ca522f70fd2627c4a9022e6bbb635b398e594b02e0a704956384d9597b9a

memory/2780-118-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:57

Platform

win7-en-20211208

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wcvpsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wcvpsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcvpsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wcvpsvcr.exe" C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wcvpsvcr.exe C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A
File created C:\Windows\wcvpsvcr.exe C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe

"C:\Users\Admin\AppData\Local\Temp\f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc.bin.exe"

C:\Windows\wcvpsvcr.exe

C:\Windows\wcvpsvcr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 tcp
SC 185.215.113.84:80 tcp
CN 42.248.183.195:40555 udp
YE 31.31.185.89:40555 tcp
RU 95.188.177.104:40555 udp
IR 85.185.130.117:40555 udp
UZ 217.30.163.94:40555 udp
IR 151.239.71.193:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.182.151:40555 udp
CN 42.248.183.44:40555 tcp
YE 89.189.89.177:40555 udp
IR 151.232.202.182:40555 udp
UZ 217.30.163.6:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.88:40555 udp
CN 42.248.182.193:40555 udp
EG 197.50.16.32:40555 tcp
UZ 89.236.219.200:40555 udp
IR 5.235.168.49:40555 tcp
SC 185.215.113.57:40555 udp
SC 185.215.113.84:80 tcp
VE 190.72.12.39:40555 udp
YE 188.240.117.8:40555 udp
IR 37.148.10.190:40555 udp
CN 42.248.183.59:40555 udp
CN 42.248.183.26:40555 tcp
SC 185.215.113.84:80 tcp
IR 46.100.156.194:40555 udp
CN 42.248.182.59:40555 udp
RU 37.20.21.113:40555 udp
YE 134.35.65.162:40555 udp
IR 188.253.19.87:40555 udp
SC 185.215.113.84:80 tcp
UZ 213.230.120.120:40555 udp
AO 154.65.218.201:40555 tcp
IR 78.39.146.132:40555 udp

Files

memory/1192-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

memory/944-56-0x0000000000000000-mapping.dmp

C:\Windows\wcvpsvcr.exe

MD5 ec96bcc50ca8fa91821e820fdfe30915
SHA1 f1a542683b90038b6619df44dc3cd8e30ad93f5d
SHA256 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
SHA512 572785bd3dfa297c1b03be308bd8460ada2bdf888f7ea9bb483203c41169b07a9d64ca522f70fd2627c4a9022e6bbb635b398e594b02e0a704956384d9597b9a

C:\Windows\wcvpsvcr.exe

MD5 ec96bcc50ca8fa91821e820fdfe30915
SHA1 f1a542683b90038b6619df44dc3cd8e30ad93f5d
SHA256 f3fd26579b32378c1115937a1aea5daa2dc4d9f11c7c69c3f6878962e31e6fdc
SHA512 572785bd3dfa297c1b03be308bd8460ada2bdf888f7ea9bb483203c41169b07a9d64ca522f70fd2627c4a9022e6bbb635b398e594b02e0a704956384d9597b9a