phorphiex | 20b054f155ba8887b61e3e1154b97882fd98cfcd4961ccf954673e7379bc663a

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

twizt.exe
Size

88KB
MD5

4505daf4c08fc8e8e1380911e98588aa
SHA1

d990eb1b2ccbb71c878944be37923b1ebd17bc72
SHA256

a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40
SHA512

bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec
SSDEEP

1536:yL0IGzbFmav82XwudP6+0MTqEjXm/D5AKHK:+0poOfP6+JuEjaaKHK

Score

10^/10

phorphiex loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
55a4er5wo
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Phorphiex payload 1 IoCs

Processes:

resource yara_rule

C:\Windows\sysmablsvr.exe family_phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Executes dropped EXE 1 IoCs

Processes:

sysmablsvr.exe

pid process

3552 sysmablsvr.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

twizt.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" twizt.exe
Drops file in Windows directory 2 IoCs

Processes:

twizt.exe

description ioc process

File created C:\Windows\sysmablsvr.exe twizt.exe
File opened for modification C:\Windows\sysmablsvr.exe twizt.exe

resource	yara_rule
C:\Windows\sysmablsvr.exe	family_phorphiex

pid	process
3552	sysmablsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	twizt.exe

description	ioc	process
File created	C:\Windows\sysmablsvr.exe	twizt.exe
File opened for modification	C:\Windows\sysmablsvr.exe	twizt.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

twizt.exe

description	pid	process	target process
PID 3292 wrote to memory of 3552	3292	twizt.exe	sysmablsvr.exe
PID 3292 wrote to memory of 3552	3292	twizt.exe	sysmablsvr.exe
PID 3292 wrote to memory of 3552	3292	twizt.exe	sysmablsvr.exe

C:\Users\Admin\AppData\Local\Temp\twizt.exe
"C:\Users\Admin\AppData\Local\Temp\twizt.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\sysmablsvr.exe
C:\Windows\sysmablsvr.exe
2⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sysmablsvr.exe
Filesize
88KB

MD5
4505daf4c08fc8e8e1380911e98588aa

SHA1
d990eb1b2ccbb71c878944be37923b1ebd17bc72

SHA256
a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

SHA512
bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

Download Submit