Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:40
General
-
Target
sphinx_1.0.1.3.vir.exe
-
Size
1.5MB
-
MD5
b7e49c14c005991da635005f6022167d
-
SHA1
6e169aa8cb0ee6535fcb552706767554d785bcb9
-
SHA256
99429e0d24148741ba7b04a8acceb7177ee27a1c3ff6c2dd7f324a937094e270
-
SHA512
d786fa1f35262ad880b86c138419e3882c58a21efcb90376dc92fe85abce3fbfda3850792b4e55207fcb1c0ee9e8963be31d9e1fc3d66f7fc36bee95a3eae2dd
Score
8/10
Malware Config
Signatures
-
NSIS installer 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 98 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 214 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
NTFS ADS 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exeC:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.3.vir.exe3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe" socksParentProxy=localhost:90504⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Kayh\efis.exe"C:\Users\Admin\AppData\Roaming\Kayh\efis.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Kayh\efis.exeC:\Users\Admin\AppData\Roaming\Kayh\efis.exe5⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp21c02f30.bat"4⤵
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "206245032-14744342218195546971787629979-1527770384-1797371795-1395956770543209654"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-591606223-191009720697424461156361991-894606864-559210712-412874533679998254"1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp21c02f30.bat
-
C:\Users\Admin\AppData\Roaming\Dhaka
-
C:\Users\Admin\AppData\Roaming\Kayh\efis.exe
-
C:\Users\Admin\AppData\Roaming\Kayh\efis.exe
-
C:\Users\Admin\AppData\Roaming\Kayh\efis.exe
-
C:\Users\Admin\AppData\Roaming\LorikeetPhonograph
-
C:\Users\Admin\AppData\Roaming\System.dll
-
C:\Users\Admin\AppData\Roaming\coagulants.dll
-
C:\debug.txt
-
C:\debug.txt
-
C:\debug.txt
-
C:\debug.txt
-
C:\debug.txt
-
\Users\Admin\AppData\Roaming\Kayh\efis.exe
-
\Users\Admin\AppData\Roaming\System.dll
-
\Users\Admin\AppData\Roaming\System.dll
-
\Users\Admin\AppData\Roaming\coagulants.dll
-
\Users\Admin\AppData\Roaming\coagulants.dll
-
memory/748-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/748-8-0x0000000000401130-mapping.dmp
-
memory/748-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/748-433-0x0000000000401130-mapping.dmp
-
memory/800-18-0x0000000003120000-0x0000000003131000-memory.dmpFilesize
68KB
-
memory/800-11-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/800-5-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/800-105-0x0000000003120000-0x0000000003131000-memory.dmpFilesize
68KB
-
memory/800-107-0x0000000003530000-0x0000000003541000-memory.dmpFilesize
68KB
-
memory/800-108-0x0000000003120000-0x0000000003131000-memory.dmpFilesize
68KB
-
memory/800-13-0x0000000003120000-0x0000000003131000-memory.dmpFilesize
68KB
-
memory/800-15-0x0000000003530000-0x0000000003541000-memory.dmpFilesize
68KB
-
memory/800-6-0x00000000007A34B0-mapping.dmp
-
memory/800-9-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/800-405-0x00000000007A34B0-mapping.dmp
-
memory/1400-14-0x0000000000000000-mapping.dmp
-
memory/1416-4-0x0000000000400000-0x000000000058F000-memory.dmpFilesize
1.6MB
-
memory/1416-3-0x000000000041E945-mapping.dmp
-
memory/1416-2-0x0000000000400000-0x000000000058F000-memory.dmpFilesize
1.6MB
-
memory/1528-403-0x0000000000000000-mapping.dmp
-
memory/1796-418-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1796-439-0x0000000004540000-0x0000000004542000-memory.dmpFilesize
8KB
-
memory/1796-413-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1796-419-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1796-420-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1796-421-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1796-422-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1796-423-0x0000000003B40000-0x0000000003B42000-memory.dmpFilesize
8KB
-
memory/1796-424-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1796-425-0x0000000004060000-0x0000000004062000-memory.dmpFilesize
8KB
-
memory/1796-426-0x0000000003F80000-0x0000000003F82000-memory.dmpFilesize
8KB
-
memory/1796-427-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/1796-428-0x0000000003FA0000-0x0000000003FA2000-memory.dmpFilesize
8KB
-
memory/1796-429-0x0000000003F90000-0x0000000003F92000-memory.dmpFilesize
8KB
-
memory/1796-430-0x0000000003F80000-0x0000000003F82000-memory.dmpFilesize
8KB
-
memory/1796-431-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/1796-412-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1796-410-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1796-408-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1796-435-0x0000000003FB0000-0x0000000003FB2000-memory.dmpFilesize
8KB
-
memory/1796-436-0x0000000004070000-0x0000000004072000-memory.dmpFilesize
8KB
-
memory/1796-437-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB
-
memory/1796-438-0x00000000044B0000-0x00000000044B2000-memory.dmpFilesize
8KB
-
memory/1796-414-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1796-440-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/1796-441-0x0000000004580000-0x0000000004582000-memory.dmpFilesize
8KB
-
memory/1796-442-0x0000000004590000-0x0000000004592000-memory.dmpFilesize
8KB
-
memory/1796-443-0x00000000045A0000-0x00000000045A2000-memory.dmpFilesize
8KB
-
memory/1796-444-0x00000000045B0000-0x00000000045B2000-memory.dmpFilesize
8KB
-
memory/1796-445-0x0000000004640000-0x0000000004642000-memory.dmpFilesize
8KB
-
memory/1796-446-0x0000000004BE0000-0x0000000004BE2000-memory.dmpFilesize
8KB
-
memory/1796-447-0x0000000004BD0000-0x0000000004BD2000-memory.dmpFilesize
8KB
-
memory/1796-448-0x0000000004BC0000-0x0000000004BC2000-memory.dmpFilesize
8KB
-
memory/1796-449-0x0000000004BB0000-0x0000000004BB2000-memory.dmpFilesize
8KB
-
memory/1796-450-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/1796-451-0x0000000003F30000-0x0000000003F32000-memory.dmpFilesize
8KB
-
memory/1796-452-0x0000000004150000-0x0000000004152000-memory.dmpFilesize
8KB
-
memory/1796-453-0x0000000004160000-0x0000000004162000-memory.dmpFilesize
8KB
-
memory/1796-454-0x0000000004170000-0x0000000004172000-memory.dmpFilesize
8KB
-
memory/1796-455-0x0000000004180000-0x0000000004182000-memory.dmpFilesize
8KB
-
memory/1796-456-0x0000000004190000-0x0000000004192000-memory.dmpFilesize
8KB
-
memory/1796-457-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1796-459-0x00000000023C0000-0x00000000023D0000-memory.dmpFilesize
64KB
-
memory/1796-465-0x0000000002360000-0x0000000002370000-memory.dmpFilesize
64KB
-
memory/1964-400-0x000000000041E945-mapping.dmp