Malware Analysis Report

2024-11-13 15:39

Sample ID 220906-gla5aafhe3
Target 96de9c78028eaec7cd06d8e3e755ffc4.exe
SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f

Threat Level: Known bad

The file 96de9c78028eaec7cd06d8e3e755ffc4.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Windows security bypass

Phorphiex family

Phorphiex

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-06 05:53

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-06 05:53

Reported

2022-09-06 05:55

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winuedrvs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winuedrvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\256665331.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\170985474.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\winuedrvs.exe N/A
N/A N/A C:\Windows\winuedrvs.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winuedrvs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winuedrvs.exe" C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winuedrvs.exe C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A
File created C:\Windows\winuedrvs.exe C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe

"C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe"

C:\Windows\winuedrvs.exe

C:\Windows\winuedrvs.exe

C:\Users\Admin\AppData\Local\Temp\256665331.exe

C:\Users\Admin\AppData\Local\Temp\256665331.exe

C:\Users\Admin\AppData\Local\Temp\170985474.exe

C:\Users\Admin\AppData\Local\Temp\170985474.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
TJ 91.218.160.235:40500 udp
UZ 92.38.55.211:40500 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
TJ 91.231.253.104:40500 udp
MX 187.230.73.195:40500 udp
IR 2.185.65.140:40500 udp
US 76.105.84.120:40500 udp
US 69.67.151.32:40500 tcp
SY 89.33.61.139:40500 udp
UZ 213.230.99.119:40500 udp
UZ 213.230.127.141:40500 udp
AO 41.70.155.21:40500 udp
UZ 62.209.135.143:40500 udp
MX 187.171.66.156:40500 tcp
YE 178.130.123.36:40500 udp
UZ 80.80.211.63:40500 udp
IR 5.237.240.28:40500 udp
SY 82.137.253.28:40500 udp
IR 2.180.66.230:40500 udp
IR 31.59.65.248:40500 tcp
UZ 185.248.44.188:40500 udp
IN 45.248.160.159:40500 udp
TJ 109.74.67.96:40500 udp
IR 151.238.125.82:40500 udp
UZ 217.30.170.9:40500 udp
IR 46.100.232.252:40500 tcp
UZ 93.170.209.221:40500 udp

Files

memory/1044-54-0x0000000075071000-0x0000000075073000-memory.dmp

memory/880-55-0x0000000000000000-mapping.dmp

C:\Windows\winuedrvs.exe

MD5 96de9c78028eaec7cd06d8e3e755ffc4
SHA1 612d1261bce41723b0a981c92bf9f186c9d46fe2
SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
SHA512 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f

C:\Windows\winuedrvs.exe

MD5 96de9c78028eaec7cd06d8e3e755ffc4
SHA1 612d1261bce41723b0a981c92bf9f186c9d46fe2
SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
SHA512 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f

\Users\Admin\AppData\Local\Temp\256665331.exe

MD5 69171b8026f4437ea72ce1f37a22ca27
SHA1 6f8cffe2a8bdcb4f3955816e2b524cd7847be9eb
SHA256 368c0f5e42a73e655f18a564b7e6cd53ca4ef702108c08b59f3fa819faec4655
SHA512 66e93474c01a3cb01e17ea142f0ff07664738c5cf944b7352ef2955c2a084529884292cb8921a32207e8b78fb7ca6ae7d5ae6a8d84447d6c8a1cc38d1d9782ae

memory/1160-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\256665331.exe

MD5 69171b8026f4437ea72ce1f37a22ca27
SHA1 6f8cffe2a8bdcb4f3955816e2b524cd7847be9eb
SHA256 368c0f5e42a73e655f18a564b7e6cd53ca4ef702108c08b59f3fa819faec4655
SHA512 66e93474c01a3cb01e17ea142f0ff07664738c5cf944b7352ef2955c2a084529884292cb8921a32207e8b78fb7ca6ae7d5ae6a8d84447d6c8a1cc38d1d9782ae

\Users\Admin\AppData\Local\Temp\170985474.exe

MD5 ca7b8f20e45e2e40f30cea521e1c6490
SHA1 49e227b0a5d8bb8b37efbd2bbfd3cbeb4fbbd984
SHA256 62a26c3f4e3e1f469e06d2d9d14da3bbe49d80363753bddf2f23862c8e91784c
SHA512 2db1a78ac144bf09825ade6be684cc381b09e3cf6a8a5eeab1b09eb57a42bd4481ec8d7974e7592638b75be1c85216485844cc080bb5b81893c6aee3addafff9

memory/568-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\170985474.exe

MD5 ca7b8f20e45e2e40f30cea521e1c6490
SHA1 49e227b0a5d8bb8b37efbd2bbfd3cbeb4fbbd984
SHA256 62a26c3f4e3e1f469e06d2d9d14da3bbe49d80363753bddf2f23862c8e91784c
SHA512 2db1a78ac144bf09825ade6be684cc381b09e3cf6a8a5eeab1b09eb57a42bd4481ec8d7974e7592638b75be1c85216485844cc080bb5b81893c6aee3addafff9

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-06 05:53

Reported

2022-09-06 05:55

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winuedrvs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winuedrvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\89464612.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662825328.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winuedrvs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winuedrvs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winuedrvs.exe" C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winuedrvs.exe C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A
File opened for modification C:\Windows\winuedrvs.exe C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe

"C:\Users\Admin\AppData\Local\Temp\96de9c78028eaec7cd06d8e3e755ffc4.exe"

C:\Windows\winuedrvs.exe

C:\Windows\winuedrvs.exe

C:\Users\Admin\AppData\Local\Temp\89464612.exe

C:\Users\Admin\AppData\Local\Temp\89464612.exe

C:\Users\Admin\AppData\Local\Temp\662825328.exe

C:\Users\Admin\AppData\Local\Temp\662825328.exe

Network

Country Destination Domain Proto
IE 20.190.159.75:443 tcp
US 67.27.154.126:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
BE 8.238.110.126:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
IR 178.169.15.106:40500 udp
VE 190.205.132.127:40500 tcp
IR 2.180.0.209:40500 udp
IR 151.245.251.150:40500 udp
US 20.189.173.10:443 tcp
IR 5.234.0.173:40500 udp
UZ 94.141.68.136:40500 udp
IR 2.185.6.8:40500 udp
VE 201.209.133.237:40500 tcp
SY 94.141.193.196:40500 udp
BE 8.238.110.126:80 tcp
IR 188.210.102.16:40500 udp
IR 5.237.240.28:40500 udp
SY 88.86.4.133:40500 udp
IR 5.235.179.208:40500 udp
DZ 105.111.1.8:40500 tcp
VE 190.142.163.31:40500 udp
UZ 92.38.55.211:40500 udp
AM 46.71.73.174:40500 udp
UZ 89.146.92.233:40500 udp
RU 31.8.104.194:40500 udp
UZ 91.231.57.44:40500 tcp
IR 80.210.171.1:40500 udp
TJ 185.177.0.183:40500 udp
UZ 217.30.168.27:40500 udp
UZ 87.237.234.124:40500 udp
US 69.67.151.113:40500 udp
YE 46.35.85.71:40500 tcp
YE 134.35.228.137:40500 udp
IN 112.196.110.74:40500 udp
IR 2.185.152.73:40500 udp
MZ 197.218.142.20:40500 udp

Files

memory/1380-132-0x0000000000000000-mapping.dmp

C:\Windows\winuedrvs.exe

MD5 96de9c78028eaec7cd06d8e3e755ffc4
SHA1 612d1261bce41723b0a981c92bf9f186c9d46fe2
SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
SHA512 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f

C:\Windows\winuedrvs.exe

MD5 96de9c78028eaec7cd06d8e3e755ffc4
SHA1 612d1261bce41723b0a981c92bf9f186c9d46fe2
SHA256 d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
SHA512 5906efdbf22af2ca3dc9f75accb4bb1f50ad0ddd792a14f5f891975a8e2b5632ce9e7e0e987b216851fef66a4e9bf9c03d847631093382dae79d0d132a41264f

memory/4080-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\89464612.exe

MD5 69171b8026f4437ea72ce1f37a22ca27
SHA1 6f8cffe2a8bdcb4f3955816e2b524cd7847be9eb
SHA256 368c0f5e42a73e655f18a564b7e6cd53ca4ef702108c08b59f3fa819faec4655
SHA512 66e93474c01a3cb01e17ea142f0ff07664738c5cf944b7352ef2955c2a084529884292cb8921a32207e8b78fb7ca6ae7d5ae6a8d84447d6c8a1cc38d1d9782ae

C:\Users\Admin\AppData\Local\Temp\89464612.exe

MD5 69171b8026f4437ea72ce1f37a22ca27
SHA1 6f8cffe2a8bdcb4f3955816e2b524cd7847be9eb
SHA256 368c0f5e42a73e655f18a564b7e6cd53ca4ef702108c08b59f3fa819faec4655
SHA512 66e93474c01a3cb01e17ea142f0ff07664738c5cf944b7352ef2955c2a084529884292cb8921a32207e8b78fb7ca6ae7d5ae6a8d84447d6c8a1cc38d1d9782ae

C:\Users\Admin\AppData\Local\Temp\662825328.exe

MD5 ca7b8f20e45e2e40f30cea521e1c6490
SHA1 49e227b0a5d8bb8b37efbd2bbfd3cbeb4fbbd984
SHA256 62a26c3f4e3e1f469e06d2d9d14da3bbe49d80363753bddf2f23862c8e91784c
SHA512 2db1a78ac144bf09825ade6be684cc381b09e3cf6a8a5eeab1b09eb57a42bd4481ec8d7974e7592638b75be1c85216485844cc080bb5b81893c6aee3addafff9

memory/4124-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\662825328.exe

MD5 ca7b8f20e45e2e40f30cea521e1c6490
SHA1 49e227b0a5d8bb8b37efbd2bbfd3cbeb4fbbd984
SHA256 62a26c3f4e3e1f469e06d2d9d14da3bbe49d80363753bddf2f23862c8e91784c
SHA512 2db1a78ac144bf09825ade6be684cc381b09e3cf6a8a5eeab1b09eb57a42bd4481ec8d7974e7592638b75be1c85216485844cc080bb5b81893c6aee3addafff9