phorphiex | c75be2d531ce0787f4237d66fe0b6fffb2002d9c2981beb9ce6a9f7f9756e850

General

Target

2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe
Size

253KB
MD5

389adf5a47aaa124f28aa4e4d6bedc8a
SHA1

877ad31f6c46999e9acdd357e3f6aaf0b758960a
SHA256

c75be2d531ce0787f4237d66fe0b6fffb2002d9c2981beb9ce6a9f7f9756e850
SHA512

4d4bcca9e43125eb769545ab9d3e14fd02009de6cb86c73cdccefa696de636ad093cf53a1f62c8fccf698509bf98d089c7923b8df61e8566ef1cc526f09ba99e
SSDEEP

6144:ac1dj9gS7KXjnFiAElyHjvz0XQLJaLkjeJ6V9uzCupN4:x1sS7KXjnFiAEoHjg6J/V92PN4

Score

10^/10

phorphiex discovery loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://91.202.233.141/

http://45.93.20.18/

http://185.215.113.66/

Wallets

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0xCa90599132C4D88907Bd8E046540284aa468a035

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
k993947s89
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e725-10.dat	family_phorphiex
behavioral2/files/0x00070000000216e4-35.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 2 IoCs

flow	pid	Process
31	4348	7251.exe
1	4512	2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe

Executes dropped EXE 5 IoCs

pid	Process
4348	7251.exe
4776	10462418.exe
4780	sysludpvs.exe
3564	17564030.exe
1560	sysldrpsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysludpvs.exe"	10462418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldrpsv.exe"	17564030.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysludpvs.exe	10462418.exe
File created	C:\Windows\sysldrpsv.exe	17564030.exe
File opened for modification	C:\Windows\sysldrpsv.exe	17564030.exe
File created	C:\Windows\sysludpvs.exe	10462418.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17564030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldrpsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10462418.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysludpvs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4348	4512	2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe	85
PID 4512 wrote to memory of 4348	4512	2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe	85
PID 4512 wrote to memory of 4348	4512	2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe	85
PID 4348 wrote to memory of 4776	4348	7251.exe	93
PID 4348 wrote to memory of 4776	4348	7251.exe	93
PID 4348 wrote to memory of 4776	4348	7251.exe	93
PID 4776 wrote to memory of 4780	4776	10462418.exe	94
PID 4776 wrote to memory of 4780	4776	10462418.exe	94
PID 4776 wrote to memory of 4780	4776	10462418.exe	94
PID 4780 wrote to memory of 3564	4780	sysludpvs.exe	108
PID 4780 wrote to memory of 3564	4780	sysludpvs.exe	108
PID 4780 wrote to memory of 3564	4780	sysludpvs.exe	108
PID 3564 wrote to memory of 1560	3564	17564030.exe	109
PID 3564 wrote to memory of 1560	3564	17564030.exe	109
PID 3564 wrote to memory of 1560	3564	17564030.exe	109

C:\Users\Admin\AppData\Local\Temp\2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-10_389adf5a47aaa124f28aa4e4d6bedc8a_cobalt-strike_ryuk.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\7251.exe
  "C:\Users\Admin\AppData\Local\Temp\7251.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\10462418.exe
    C:\Users\Admin\AppData\Local\Temp\10462418.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\sysludpvs.exe
      C:\Windows\sysludpvs.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\17564030.exe
        
        C:\Users\Admin\AppData\Local\Temp\17564030.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\sysldrpsv.exe
        
        C:\Windows\sysldrpsv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10462418.exe

Filesize
87KB

MD5
87dce6b601da9e68982ef5bc7628468c

SHA1
48b0e84e5749bd48b282ae1b7597094aa2a5cdf9

SHA256
2246262e2df5b143d4bff663aceb85d7633ebcb91f2f641c2ab7936c942a8eb2

SHA512
94cb5e917716db718e3c912e52976f321afa15aa8a533f6930585f5cc878d7edc434ebdea0eb1ec26ec3d79797304bdcb9cfaec62e472872036fc9320e047ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\17564030.exe

Filesize
82KB

MD5
a7137a73c34613cb94adc22bc5b63cdf

SHA1
5cc92ccd93bcbe1867f70ca546b5a236d8ffc3ba

SHA256
2a496e38b9d4365ab97ee156811ab3d160369c69bf1a3987293411fe7f86147f

SHA512
935e387806dbdb2019d82db22f3d3ba6eec231e65ce8ee0b71696c14cc43ef4e954e6310780f021b6eb2a6239f7b29902482f711b14c2536e8716d1dd504639a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7251.exe

Filesize
10KB

MD5
4c52cf849be8954638925c242e0cc976

SHA1
949ba0061ea9dbe3b9059bb2a7b20caa74861280

SHA256
fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb

SHA512
c11572dcd274bdcb5e94cf38ec36aa65e4d5605df250ee8887cd5098b044e3e2e71be3b3292118b967e27bc752b5cf5d9c8da5ac2834b7c156302c307abe123b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads