Malware Analysis Report

2024-11-30 15:08

Sample ID 211221-n2ynvadce5
Target 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin
SHA256 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682

Threat Level: Known bad

The file 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Phorphiex family

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-23 16:11

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:56

Platform

win7-en-20211208

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wlpmsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wlpmsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wlpmsvcr.exe" C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wlpmsvcr.exe C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A
File opened for modification C:\Windows\wlpmsvcr.exe C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe

"C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe"

C:\Windows\wlpmsvcr.exe

C:\Windows\wlpmsvcr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.137.90.34:80 www.update.microsoft.com tcp
IR 78.39.146.132:40555 udp
IR 46.225.21.117:40555 tcp
SC 185.215.113.84:80 tcp
IR 5.238.19.165:40555 udp
NG 197.255.1.94:40555 udp
IR 2.181.145.225:40555 udp
RU 5.136.129.226:40555 udp
IR 77.42.55.38:40555 udp
SC 185.215.113.84:80 tcp
IR 80.210.243.59:40555 tcp
TH 184.22.76.48:40555 udp
IR 46.225.206.4:40555 udp
IR 31.184.160.220:40555 udp
IR 151.232.202.182:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.174:40555 udp
IR 5.236.202.102:40555 tcp
CN 42.248.183.149:40555 udp
CN 42.248.182.124:40555 udp
UZ 89.236.250.69:40555 udp
SC 185.215.113.84:80 tcp
BA 77.221.27.41:40555 udp
PK 182.180.9.243:40555 udp
IR 109.122.236.177:40555 tcp
UZ 89.236.240.212:40555 udp
IR 2.180.107.206:40555 udp
SC 185.215.113.84:80 tcp
IR 176.65.172.118:40555 udp
SC 185.215.113.57:40555 udp
CN 42.248.182.42:40555 udp
MZ 197.249.5.69:40555 tcp
RU 93.80.107.39:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.69:40555 udp
IR 2.187.35.93:40555 udp
UZ 87.237.233.213:40555 udp
CN 42.248.182.151:40555 udp
IR 77.104.108.114:40555 tcp
UZ 62.209.132.119:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.88:40555 udp

Files

memory/968-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

C:\Windows\wlpmsvcr.exe

MD5 bd5f71fcdba70236587930dddef0e59a
SHA1 4c47a7d780fb06a05763be682f6694de93e609b0
SHA256 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
SHA512 98b05fd4fae3ff5c3f433fe82cec481ef8c040fa80fc92ad01b2d9bb9f95f5cd898e49efd253d62043a2e5db71c737ea44bf8440b3f4497f66efe059ca1075cf

memory/1692-55-0x0000000000000000-mapping.dmp

C:\Windows\wlpmsvcr.exe

MD5 bd5f71fcdba70236587930dddef0e59a
SHA1 4c47a7d780fb06a05763be682f6694de93e609b0
SHA256 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
SHA512 98b05fd4fae3ff5c3f433fe82cec481ef8c040fa80fc92ad01b2d9bb9f95f5cd898e49efd253d62043a2e5db71c737ea44bf8440b3f4497f66efe059ca1075cf

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-21 11:54

Reported

2021-12-21 11:56

Platform

win10-en-20211208

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wlpmsvcr.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wlpmsvcr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wlpmsvcr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wlpmsvcr.exe" C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wlpmsvcr.exe C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A
File opened for modification C:\Windows\wlpmsvcr.exe C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe

"C:\Users\Admin\AppData\Local\Temp\143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682.bin.exe"

C:\Windows\wlpmsvcr.exe

C:\Windows\wlpmsvcr.exe

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.185.71.28:80 www.update.microsoft.com tcp
SC 185.215.113.84:80 185.215.113.84 tcp
MX 189.242.245.204:40555 tcp
IR 178.169.31.126:40555 udp
RU 178.185.63.95:40555 udp
IN 117.201.172.163:40555 udp
UZ 89.236.227.208:40555 udp
IR 151.239.133.138:40555 udp
IR 2.186.162.125:40555 udp
IR 5.239.159.10:40555 tcp
PK 39.57.16.134:40555 udp
SC 185.215.113.84:80 tcp
CN 42.248.183.81:40555 udp
UZ 89.236.250.69:40555 udp
IN 117.213.224.102:40555 udp
IR 89.43.217.22:40555 udp
CN 42.248.183.14:40555 tcp
IR 2.180.253.136:40555 udp
SC 185.215.113.84:80 tcp
IR 217.219.197.194:40555 udp
UZ 89.236.216.4:40555 udp
N/A 100.88.41.176:40555 udp
IR 31.59.189.4:40555 udp
SC 185.215.113.84:80 tcp
IR 46.225.21.117:40555 tcp
IR 2.178.208.211:40555 udp
UZ 62.209.133.251:40555 udp
IR 2.189.240.61:40555 udp
IR 46.225.195.34:40555 udp
SC 185.215.113.84:80 tcp
IR 151.234.111.115:40555 udp
KZ 88.204.223.198:40555 tcp
IR 46.225.206.4:40555 udp
UZ 87.237.236.131:40555 udp
SC 185.215.113.84:80 tcp
MX 187.226.132.116:40555 udp
MX 189.244.230.86:40555 udp
CN 42.248.183.197:40555 tcp
IR 2.181.161.220:40555 udp

Files

memory/3976-115-0x0000000000000000-mapping.dmp

C:\Windows\wlpmsvcr.exe

MD5 bd5f71fcdba70236587930dddef0e59a
SHA1 4c47a7d780fb06a05763be682f6694de93e609b0
SHA256 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
SHA512 98b05fd4fae3ff5c3f433fe82cec481ef8c040fa80fc92ad01b2d9bb9f95f5cd898e49efd253d62043a2e5db71c737ea44bf8440b3f4497f66efe059ca1075cf

C:\Windows\wlpmsvcr.exe

MD5 bd5f71fcdba70236587930dddef0e59a
SHA1 4c47a7d780fb06a05763be682f6694de93e609b0
SHA256 143e15adc8d63526b124a401fe1182a44542fb79f22fc17c602151a839c22682
SHA512 98b05fd4fae3ff5c3f433fe82cec481ef8c040fa80fc92ad01b2d9bb9f95f5cd898e49efd253d62043a2e5db71c737ea44bf8440b3f4497f66efe059ca1075cf