Malware Analysis Report

2024-11-13 15:39

Sample ID 220831-ahrjjaebdr
Target fe304e909fb1f67c4d9030fc74d0a2f1.exe
SHA256 a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96

Threat Level: Known bad

The file fe304e909fb1f67c4d9030fc74d0a2f1.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex

Windows security bypass

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-31 00:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-31 00:13

Reported

2022-08-31 00:17

Platform

win7-20220812-en

Max time kernel

168s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\112782121.scr N/A
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1383720200.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\112782121.scr N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr
PID 1224 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr
PID 1224 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr
PID 1224 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe C:\Users\Admin\AppData\Local\Temp\112782121.scr
PID 1404 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\112782121.scr C:\Windows\winrecsv.exe
PID 1404 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\112782121.scr C:\Windows\winrecsv.exe
PID 1404 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\112782121.scr C:\Windows\winrecsv.exe
PID 1404 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\112782121.scr C:\Windows\winrecsv.exe
PID 688 wrote to memory of 768 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1383720200.exe
PID 688 wrote to memory of 768 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1383720200.exe
PID 688 wrote to memory of 768 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1383720200.exe
PID 688 wrote to memory of 768 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1383720200.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe

"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"

C:\Users\Admin\AppData\Local\Temp\112782121.scr

C:\Users\Admin\AppData\Local\Temp\112782121.scr

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\1383720200.exe

C:\Users\Admin\AppData\Local\Temp\1383720200.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
KZ 46.36.144.91:40500 tcp
MX 187.154.19.149:40500 udp
IR 31.56.12.211:40500 udp
UZ 213.230.97.218:40500 udp
IR 5.235.169.44:40500 udp
N/A 100.93.129.203:40500 udp
RU 176.194.22.84:40500 tcp
RU 176.194.22.84:40500 udp
AO 154.65.146.137:40500 udp
UZ 213.230.111.166:40500 udp
IR 78.38.107.89:40500 udp
UZ 89.236.200.152:40500 udp
RU 2.94.40.191:40500 tcp
UZ 94.141.69.160:40500 udp
IR 5.75.77.231:40500 udp
BO 190.129.1.154:40500 udp

Files

memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

\Users\Admin\AppData\Local\Temp\112782121.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\112782121.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/1404-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\112782121.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\112782121.scr

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/688-61-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

\Users\Admin\AppData\Local\Temp\1383720200.exe

MD5 8f56f0f0c9a4aa6c0bda072d8bf7c769
SHA1 24a01d3502c3bfebfb052afadb0367b1407342ff
SHA256 4433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4
SHA512 8be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a

memory/768-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1383720200.exe

MD5 8f56f0f0c9a4aa6c0bda072d8bf7c769
SHA1 24a01d3502c3bfebfb052afadb0367b1407342ff
SHA256 4433c5f202948e0b5f5d9f4b14a423756149f9b879f5bf641ce9b8ee2cdd92a4
SHA512 8be67132df6ab80a67fa130c1bcf13519fc782c37e98553d89c847dab4b29d78c51152185776e5c7ed49bd3c3df0ff294605dd3e43cf899f4e6f295a7307a91a

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-31 00:13

Reported

2022-08-31 00:17

Platform

win10v2004-20220812-en

Max time kernel

169s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe

"C:\Users\Admin\AppData\Local\Temp\fe304e909fb1f67c4d9030fc74d0a2f1.exe"

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
RU 185.215.113.66:80 tcp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp

Files

N/A