Malware Analysis Report

2024-11-13 15:39

Sample ID 220822-mbf6fahdc4
Target a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
SHA256 a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96

Threat Level: Known bad

The file a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Windows security bypass

Phorphiex

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-22 10:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-22 10:17

Reported

2022-08-22 10:19

Platform

win7-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\915211631.scr N/A
N/A N/A C:\Windows\winrecsv.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\915211631.scr N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\915211631.scr N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\915211631.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe

"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"

C:\Users\Admin\AppData\Local\Temp\915211631.scr

C:\Users\Admin\AppData\Local\Temp\915211631.scr

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
PK 39.53.112.230:40500 tcp
UA 31.170.155.238:40500 udp
UZ 213.230.97.32:40500 udp
KZ 95.56.89.135:40500 udp
IR 188.211.85.31:40500 udp
UA 93.76.157.8:40500 udp
GH 196.175.1.52:40500 tcp
UZ 217.30.170.9:40500 udp
IR 188.215.220.104:40500 udp
IR 2.180.53.112:40500 udp
IR 31.59.137.132:40500 tcp
AZ 109.127.17.122:40500 udp
UZ 213.230.90.158:40500 udp
US 69.67.151.86:40500 udp
VE 201.243.153.142:40500 udp
ID 111.94.53.251:40500 udp
IR 93.118.121.92:40500 tcp
TJ 79.170.184.222:40500 udp
IR 37.254.70.57:40500 udp
RU 37.20.208.89:40500 udp
PK 119.158.120.235:40500 udp

Files

memory/1504-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

\Users\Admin\AppData\Local\Temp\915211631.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\915211631.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\915211631.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/1696-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\915211631.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/1208-61-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-22 10:17

Reported

2022-08-22 10:19

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2293823999.scr N/A
N/A N/A C:\Windows\winrecsv.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\2293823999.scr N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2293823999.scr N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\2293823999.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe

"C:\Users\Admin\AppData\Local\Temp\a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96.exe"

C:\Users\Admin\AppData\Local\Temp\2293823999.scr

C:\Users\Admin\AppData\Local\Temp\2293823999.scr

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
KG 31.186.54.5:40500 udp
IR 77.42.78.120:40500 tcp
AM 46.71.107.63:40500 udp
US 13.107.4.50:80 tcp
SY 185.194.125.197:40500 udp
IR 80.210.24.47:40500 udp
UZ 195.158.14.139:40500 udp
PK 39.53.175.125:40500 udp
YE 46.35.68.30:40500 tcp
IN 14.139.242.251:40500 udp
KZ 95.59.235.26:40500 udp
IR 2.182.9.184:40500 udp
DZ 105.106.149.0:40500 udp
MX 187.205.140.68:40500 udp
KZ 92.47.35.158:40500 tcp
AO 154.118.198.100:40500 udp
TJ 185.177.0.183:40500 udp
VN 14.253.89.170:40500 udp
PK 182.183.161.108:40500 udp
KZ 88.204.242.226:40500 udp
IR 80.191.192.113:40500 tcp
IR 217.219.198.230:40500 udp
IR 31.56.184.183:40500 udp
MX 189.175.148.121:40500 udp
AZ 109.127.17.122:40500 udp
MX 189.149.15.5:40500 udp
YE 134.35.149.225:40500 tcp
KZ 92.47.35.158:40500 udp
KG 212.112.115.77:40500 udp

Files

C:\Users\Admin\AppData\Local\Temp\2293823999.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/2408-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2293823999.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/4360-135-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f