Malware Analysis Report

2024-11-13 15:39

Sample ID 220817-rf46aagedr
Target a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe
SHA256 4be45155e4f00c417a85688e2d31587ee82fe60dfc5c81a7c901ea703a179017
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4be45155e4f00c417a85688e2d31587ee82fe60dfc5c81a7c901ea703a179017

Threat Level: Known bad

The file a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex

Windows security bypass

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-17 14:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-17 14:09

Reported

2022-08-17 14:11

Platform

win7-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3301420190.exe N/A
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\202557257.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\3301420190.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe
PID 360 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe
PID 360 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe
PID 360 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe C:\Users\Admin\AppData\Local\Temp\3301420190.exe
PID 900 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3301420190.exe C:\Windows\winrecsv.exe
PID 900 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3301420190.exe C:\Windows\winrecsv.exe
PID 900 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3301420190.exe C:\Windows\winrecsv.exe
PID 900 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3301420190.exe C:\Windows\winrecsv.exe
PID 584 wrote to memory of 1584 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\202557257.exe
PID 584 wrote to memory of 1584 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\202557257.exe
PID 584 wrote to memory of 1584 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\202557257.exe
PID 584 wrote to memory of 1584 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\202557257.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe

"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"

C:\Users\Admin\AppData\Local\Temp\3301420190.exe

C:\Users\Admin\AppData\Local\Temp\3301420190.exe

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\202557257.exe

C:\Users\Admin\AppData\Local\Temp\202557257.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
IR 2.179.77.37:40500 tcp
VE 200.44.238.138:40500 udp
IR 77.42.52.141:40500 udp
UA 93.175.220.40:40500 udp
IR 2.178.76.82:40500 udp
IR 2.190.183.251:40500 udp
IR 2.186.231.230:40500 udp
IR 37.254.50.176:40500 tcp
SY 185.199.246.61:40500 udp
SY 46.53.5.10:40500 udp
UZ 62.209.138.180:40500 udp
UZ 213.230.90.158:40500 udp
SY 31.193.72.43:40500 udp
TW 125.227.235.121:40500 tcp
AZ 94.20.233.229:40500 udp
SY 82.137.244.49:40500 udp
VE 186.91.87.219:40500 udp
IR 151.235.50.104:40500 udp
BY 87.252.235.64:40500 tcp
UZ 213.230.97.218:40500 udp
IR 5.232.246.158:40500 udp
UZ 217.12.85.22:40500 udp

Files

memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp

\Users\Admin\AppData\Local\Temp\3301420190.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\3301420190.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/900-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3301420190.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\3301420190.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/584-61-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\202557257.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/1584-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\202557257.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-17 14:09

Reported

2022-08-17 14:11

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2178432227.exe N/A
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\277568521.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\2178432227.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2178432227.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2178432227.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe

"C:\Users\Admin\AppData\Local\Temp\a0e191d34fcd7c11b12b0ea4ac3b5e7e.exe"

C:\Users\Admin\AppData\Local\Temp\2178432227.exe

C:\Users\Admin\AppData\Local\Temp\2178432227.exe

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\277568521.exe

C:\Users\Admin\AppData\Local\Temp\277568521.exe

Network

Country Destination Domain Proto
US 67.27.154.126:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 52.109.8.21:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
UZ 213.230.80.12:40500 udp
IR 185.214.37.104:40500 tcp
UZ 213.230.71.238:40500 udp
US 8.238.21.126:80 tcp
US 8.238.21.126:80 tcp
US 67.27.154.126:80 tcp
YE 134.35.215.161:40500 udp
MZ 197.158.36.119:40500 udp
YE 94.26.206.78:40500 tcp
MY 175.143.207.216:40500 udp
IR 87.251.156.130:40500 udp
IR 2.178.65.112:40500 udp
UZ 213.230.90.158:40500 udp
IR 37.202.252.100:40500 udp
IR 89.219.197.206:40500 tcp
SY 185.150.143.158:40500 udp
KZ 37.151.137.140:40500 udp
IR 91.185.128.43:40500 udp
PK 221.120.207.101:40500 udp
UZ 213.230.120.247:40500 udp
VE 190.199.230.103:40500 tcp
VE 201.243.153.142:40500 udp
IR 5.233.212.22:40500 udp
MX 201.97.72.149:40500 udp
UZ 195.158.22.11:40500 udp
IN 14.139.242.251:40500 udp
IR 5.238.136.31:40500 tcp
AO 155.89.240.217:40500 udp
UZ 217.30.169.113:40500 udp
IR 5.75.101.157:40500 udp
IR 46.100.167.18:40500 udp

Files

memory/4016-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2178432227.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\2178432227.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/4508-135-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/4880-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\277568521.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\277568521.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900