Malware Analysis Report

2024-11-13 15:39

Sample ID 220823-gs8zwsdcg2
Target tmp
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex

Phorphiex family

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-23 06:05

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-23 06:05

Reported

2022-08-23 06:07

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226344364.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\226344364.exe

C:\Users\Admin\AppData\Local\Temp\226344364.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
KZ 95.56.89.135:40500 udp
UZ 217.30.170.20:40500 tcp
AZ 37.114.148.123:40500 udp
SY 77.44.204.175:40500 tcp
SD 41.209.100.250:40500 udp
AZ 94.20.233.229:40500 udp
IR 37.202.193.253:40500 udp
IR 77.42.75.249:40500 udp
US 69.67.151.23:40500 udp
UZ 213.230.90.222:40500 tcp
IR 2.191.224.121:40500 udp
PK 182.183.161.108:40500 udp
YE 178.130.81.42:40500 udp
AO 129.122.185.144:40500 udp
RU 79.111.44.114:40500 tcp
IR 80.210.26.209:40500 udp
UZ 62.209.138.180:40500 udp
IR 94.183.25.56:40500 udp
IN 45.248.160.159:40500 udp
RU 109.161.23.103:40500 udp
UZ 87.237.238.71:40500 tcp
IR 5.75.125.149:40500 udp
SY 185.199.246.61:40500 udp
YE 110.238.47.124:40500 udp

Files

memory/1740-54-0x0000000075481000-0x0000000075483000-memory.dmp

memory/1988-55-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\226344364.exe

MD5 993e88729b527427ce0d194699fe1884
SHA1 70cd07b4d9ca59792a8b278a33836a408039ac92
SHA256 7b9a5a18cae6d0022144205d19c3d250c8f21093f7ce97d6f0d4e3a3703e8c39
SHA512 736ccce6e381e95747624f6596b96a179e42e26f955bc5cc5362d39f1e0ca091a1e754717a490583e7d46928e1a288f0ce986b40c7ae7558e3be24ff24d0786a

memory/892-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\226344364.exe

MD5 993e88729b527427ce0d194699fe1884
SHA1 70cd07b4d9ca59792a8b278a33836a408039ac92
SHA256 7b9a5a18cae6d0022144205d19c3d250c8f21093f7ce97d6f0d4e3a3703e8c39
SHA512 736ccce6e381e95747624f6596b96a179e42e26f955bc5cc5362d39f1e0ca091a1e754717a490583e7d46928e1a288f0ce986b40c7ae7558e3be24ff24d0786a

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-23 06:05

Reported

2022-08-23 06:07

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1773728991.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\1773728991.exe

C:\Users\Admin\AppData\Local\Temp\1773728991.exe

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
AO 129.122.240.29:40500 udp
AO 129.122.240.16:40500 tcp
US 20.44.10.122:443 tcp
UZ 213.230.126.103:40500 udp
UZ 217.30.160.221:40500 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IR 188.158.137.233:40500 udp
RU 46.42.62.168:40500 udp
MX 187.235.170.229:40500 udp
HK 74.119.193.54:40500 tcp
MX 189.129.240.163:40500 udp
ID 111.94.66.27:40500 tcp
N/A 10.230.26.38:40500 udp
US 69.67.151.122:40500 udp
UZ 92.38.55.92:40500 udp
YE 134.35.201.236:40500 udp
IR 185.214.37.104:40500 udp
RU 2.94.30.95:40500 udp
MX 187.205.140.68:40500 tcp
IR 5.235.19.14:40500 udp
IR 31.56.12.211:40500 udp
RU 176.194.22.84:40500 udp
IR 185.206.236.171:40500 udp
UZ 195.158.22.11:40500 udp
YE 134.35.117.27:40500 tcp
IR 188.211.85.37:40500 udp
MX 201.152.120.96:40500 udp
IR 37.202.252.100:40500 udp
IR 46.100.77.114:40500 udp
UZ 217.30.171.221:40500 tcp
KZ 37.151.55.29:40500 udp
N/A 2.180.53.112:40500 udp

Files

memory/4304-132-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/2044-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1773728991.exe

MD5 993e88729b527427ce0d194699fe1884
SHA1 70cd07b4d9ca59792a8b278a33836a408039ac92
SHA256 7b9a5a18cae6d0022144205d19c3d250c8f21093f7ce97d6f0d4e3a3703e8c39
SHA512 736ccce6e381e95747624f6596b96a179e42e26f955bc5cc5362d39f1e0ca091a1e754717a490583e7d46928e1a288f0ce986b40c7ae7558e3be24ff24d0786a

C:\Users\Admin\AppData\Local\Temp\1773728991.exe

MD5 993e88729b527427ce0d194699fe1884
SHA1 70cd07b4d9ca59792a8b278a33836a408039ac92
SHA256 7b9a5a18cae6d0022144205d19c3d250c8f21093f7ce97d6f0d4e3a3703e8c39
SHA512 736ccce6e381e95747624f6596b96a179e42e26f955bc5cc5362d39f1e0ca091a1e754717a490583e7d46928e1a288f0ce986b40c7ae7558e3be24ff24d0786a