Malware Analysis Report

2024-11-13 15:39

Sample ID 220815-qdpr5sbadl
Target 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

Threat Level: Known bad

The file 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex

Windows security bypass

Executes dropped EXE

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 13:08

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 13:08

Reported

2022-08-15 13:11

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3226631807.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe

"C:\Users\Admin\AppData\Local\Temp\22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\3226631807.exe

C:\Users\Admin\AppData\Local\Temp\3226631807.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
ID 111.95.196.32:40500 tcp
UZ 217.30.171.221:40500 udp
AO 155.89.240.217:40500 udp
IR 31.59.71.105:40500 udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
SY 46.53.68.169:40500 udp
UZ 91.188.148.14:40500 udp
RU 79.111.44.114:40500 udp
UZ 213.230.108.92:40500 tcp
IR 2.182.180.212:40500 udp
AO 154.71.239.26:40500 udp
IR 2.186.8.140:40500 udp
N/A 100.93.129.203:40500 udp
UZ 217.30.162.84:40500 udp
UZ 217.30.162.254:40500 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
UA 213.108.40.79:40500 udp
IR 89.219.197.206:40500 udp
RU 178.234.219.143:40500 udp
EG 154.239.78.239:40500 tcp
IR 5.219.59.206:40500 udp
IR 5.233.233.46:40500 udp
SY 77.44.140.121:40500 udp
KG 212.112.113.76:40500 udp
IR 2.185.153.12:40500 udp
IR 188.159.128.138:40500 tcp
RU 95.191.158.158:40500 udp
UZ 87.237.239.105:40500 udp
IR 151.235.59.39:40500 udp
US 69.67.151.95:40500 udp
PK 39.51.247.98:40500 udp
IR 85.185.195.159:40500 udp

Files

memory/1424-132-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/5036-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3226631807.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\3226631807.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900