phorphiex | 6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a

General

Target

6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe
Size

802KB
MD5

dd1393f2f8821ee970384d48acf87f9d
SHA1

5c232f56f7431642ecfe8a2c55bf6d8214f735ff
SHA256

6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a
SHA512

2425a7343d6ae8f9b8abef4cdf0a5a1b3e3972cd7770b1764bdd840054a29fe07b84551c562276652078733f82f9d71b91f67c49f3016a7e8b2c41ba3537d4e7
SSDEEP

24576:QTYjc23RnYVt3dhgdQZ2KTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KZ:823lqVdurKTKK4KKDyK5FZ1EEEEmEEEc

Score

10^/10

phorphiex discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
753f85d83d
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023cc6-11.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 3 IoCs

flow	pid	Process
1	1340	6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe
32	2368	C8AF.exe
34	4756	Process not Found

Executes dropped EXE 5 IoCs

pid	Process
2368	C8AF.exe
4944	2694716634.exe
1756	sysnldcvmr.exe
1232	1965422062.exe
4736	sysnldcvmr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	2694716634.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	1965422062.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	1965422062.exe
File created	C:\Windows\sysnldcvmr.exe	2694716634.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	2694716634.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C8AF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2694716634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1965422062.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2184	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2368	1340	6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe	89
PID 1340 wrote to memory of 2368	1340	6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe	89
PID 1340 wrote to memory of 2368	1340	6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe	89
PID 2368 wrote to memory of 4944	2368	C8AF.exe	96
PID 2368 wrote to memory of 4944	2368	C8AF.exe	96
PID 2368 wrote to memory of 4944	2368	C8AF.exe	96
PID 4944 wrote to memory of 1756	4944	2694716634.exe	97
PID 4944 wrote to memory of 1756	4944	2694716634.exe	97
PID 4944 wrote to memory of 1756	4944	2694716634.exe	97
PID 1756 wrote to memory of 1232	1756	sysnldcvmr.exe	101
PID 1756 wrote to memory of 1232	1756	sysnldcvmr.exe	101
PID 1756 wrote to memory of 1232	1756	sysnldcvmr.exe	101
PID 1232 wrote to memory of 4736	1232	1965422062.exe	102
PID 1232 wrote to memory of 4736	1232	1965422062.exe	102
PID 1232 wrote to memory of 4736	1232	1965422062.exe	102

C:\Users\Admin\AppData\Local\Temp\6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe
"C:\Users\Admin\AppData\Local\Temp\6ba056346e0138771d37ff15b45316335e0204d1658c530007cbd737ec5f9c5a.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\C8AF.exe
  "C:\Users\Admin\AppData\Local\Temp\C8AF.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\2694716634.exe
    C:\Users\Admin\AppData\Local\Temp\2694716634.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\1965422062.exe
        
        C:\Users\Admin\AppData\Local\Temp\1965422062.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Rjg4QUEyRkUtRTFBRi00OTIzLUI3RTAtMDU5RTlENDhCNjZCfSIgdXNlcmlkPSJ7ODI1MTRFMDEtNDFBQS00MjNCLUJBNzItMEE3Q0ZGRDI2MTI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUJBNDNGNDAtNzZERS00QTBGLUE3QjctRjE5RTkzMzgzQjIxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTQzODQzNTQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2694716634.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8AF.exe

Filesize
10KB

MD5
8ce09f13942ab5bcb81b175996c8385f

SHA1
6fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd

SHA256
757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d

SHA512
11ae4651b3dd55355b2cb7bf2f6b042dea47bb895f898d967d63ee652652c633cc5becf31cb2fd7f8797b238b264195d09d4e08211b797eae29e2a7bb31b277f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads