Malware Analysis Report

2024-11-13 15:39

Sample ID 220812-xsap4abbe4
Target tmp
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-12 19:06

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-12 19:06

Reported

2022-08-12 19:09

Platform

win7-20220812-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wklopsvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\312495840.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1189317648.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\wklopsvcs.exe N/A
N/A N/A C:\Windows\wklopsvcs.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\wklopsvcs.exe

C:\Windows\wklopsvcs.exe

C:\Users\Admin\AppData\Local\Temp\312495840.exe

C:\Users\Admin\AppData\Local\Temp\312495840.exe

C:\Users\Admin\AppData\Local\Temp\1189317648.exe

C:\Users\Admin\AppData\Local\Temp\1189317648.exe

Network

Country Destination Domain Proto
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
TH 158.108.177.187:40500 tcp
IR 78.39.206.152:40500 udp
RU 185.215.113.84:80 185.215.113.84 tcp
IR 2.190.172.180:40500 udp
UZ 87.237.239.105:40500 udp
MR 41.188.124.58:40500 udp
VE 190.142.136.193:40500 udp
UZ 185.78.138.31:40500 tcp
IR 188.158.152.54:40500 udp
IR 2.191.174.156:40500 udp
UZ 213.230.111.166:40500 udp
IR 5.219.254.68:40500 udp
IR 46.225.110.80:40500 udp
IN 117.212.116.33:40500 tcp
IR 2.176.100.94:40500 udp
KG 158.181.22.173:40500 udp
IR 151.239.216.183:40500 udp
YE 178.130.74.143:40500 tcp
GH 196.175.1.52:40500 udp
YE 188.240.108.101:40500 udp
IR 31.57.136.218:40500 udp
AO 154.118.198.100:40500 udp
YE 109.200.167.68:40500 tcp
UZ 213.230.111.34:40500 udp

Files

memory/856-54-0x0000000075931000-0x0000000075933000-memory.dmp

memory/1720-55-0x0000000000000000-mapping.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

\Users\Admin\AppData\Local\Temp\312495840.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/1268-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\312495840.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

\Users\Admin\AppData\Local\Temp\1189317648.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/864-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1189317648.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-12 19:06

Reported

2022-08-12 19:09

Platform

win10v2004-20220721-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wklopsvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2066027931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\759315877.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\wklopsvcs.exe

C:\Windows\wklopsvcs.exe

C:\Users\Admin\AppData\Local\Temp\2066027931.exe

C:\Users\Admin\AppData\Local\Temp\2066027931.exe

C:\Users\Admin\AppData\Local\Temp\759315877.exe

C:\Users\Admin\AppData\Local\Temp\759315877.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 40.126.32.68:443 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 93.184.221.240:80 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 52.168.112.67:443 tcp
VE 190.39.68.209:40500 udp
SY 95.159.8.71:40500 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
RU 37.21.120.106:40500 udp
BD 123.49.51.194:40500 udp
UZ 89.236.245.253:40500 udp
IR 2.180.87.187:40500 udp
RU 185.215.113.84:80 tcp
UZ 89.236.219.80:40500 udp
UZ 217.30.170.20:40500 tcp
YE 110.238.46.196:40500 udp
UZ 217.30.173.56:40500 udp
IR 46.100.187.60:40500 udp
IR 5.234.167.230:40500 udp
MX 187.225.68.38:40500 udp
MX 189.187.105.147:40500 tcp
UZ 89.236.217.140:40500 udp
IR 5.232.200.109:40500 udp
IR 91.98.82.130:40500 udp
IR 2.176.50.71:40500 udp
PK 113.197.50.97:40500 udp
IR 5.233.243.227:40500 tcp
YE 5.255.5.144:40500 udp
UZ 195.158.14.139:40500 udp
UZ 213.230.120.141:40500 udp
UZ 213.230.126.103:40500 udp

Files

memory/5004-130-0x0000000000000000-mapping.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Users\Admin\AppData\Local\Temp\2066027931.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/4148-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2066027931.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/1516-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\759315877.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\759315877.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900