b7969b30d717867cea9427b87a822d59edd94600312599cf407d0d6ec35988ed

General

Target

sphinx_1.0.1.2.vir.exe
Size

1.5MB
MD5

36bb5464092459c07fc4a5014304d072
SHA1

345864026b571328aa2deeb9c2fc62fa75e5e847
SHA256

b7969b30d717867cea9427b87a822d59edd94600312599cf407d0d6ec35988ed
SHA512

e0effbbc9f59288094e9becbdc4c40304586b45ee3d1cec1ba16e086a6754e5aa2e03b0336a9253c704581d5673d8d4dcde0a0843a08a38e77ab3489d7ac723d

Score

8^/10

upx persistence

Malware Config

Signatures

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe	nsis_installer
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe	nsis_installer

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iruxe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run	iruxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{603FEF5B-596B-F3DD-FD71-633659B03184} = "C:\\Users\\Admin\\AppData\\Roaming\\Buol\\iruxe.exe"	iruxe.exe

Loads dropped DLL 6 IoCs

Processes:

sphinx_1.0.1.2.vir.exeiruxe.exe

pid process

2532 sphinx_1.0.1.2.vir.exe
2532 sphinx_1.0.1.2.vir.exe
2532 sphinx_1.0.1.2.vir.exe
756 iruxe.exe
756 iruxe.exe
756 iruxe.exe

pid	process
2532	sphinx_1.0.1.2.vir.exe
2532	sphinx_1.0.1.2.vir.exe
2532	sphinx_1.0.1.2.vir.exe
756	iruxe.exe
756	iruxe.exe
756	iruxe.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

sphinx_1.0.1.2.vir.exeexplorer.exeiruxe.exeexplorer.exe

pid	process
2820	sphinx_1.0.1.2.vir.exe
2820	sphinx_1.0.1.2.vir.exe
2820	sphinx_1.0.1.2.vir.exe
2820	sphinx_1.0.1.2.vir.exe
2820	sphinx_1.0.1.2.vir.exe
2820	sphinx_1.0.1.2.vir.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
1056	iruxe.exe
1056	iruxe.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3768	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe
1056	iruxe.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

sphinx_1.0.1.2.vir.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeSecurityPrivilege	2820	sphinx_1.0.1.2.vir.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe
Token: SeDebugPrivilege	3768	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

iruxe.exeiruxe.exe

pid process

756 iruxe.exe
1056 iruxe.exe

pid	process
756	iruxe.exe
1056	iruxe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3768-6-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3768-10-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3768-12-0x0000000000400000-0x00000000007A5000-memory.dmp	upx

Suspicious use of WriteProcessMemory 109 IoCs

Processes:

sphinx_1.0.1.2.vir.exesphinx_1.0.1.2.vir.exeiruxe.exeiruxe.exe

description	pid	process	target process
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2532 wrote to memory of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 wrote to memory of 756	2820	sphinx_1.0.1.2.vir.exe	iruxe.exe
PID 2820 wrote to memory of 756	2820	sphinx_1.0.1.2.vir.exe	iruxe.exe
PID 2820 wrote to memory of 756	2820	sphinx_1.0.1.2.vir.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 756 wrote to memory of 1056	756	iruxe.exe	iruxe.exe
PID 2820 wrote to memory of 940	2820	sphinx_1.0.1.2.vir.exe	cmd.exe
PID 2820 wrote to memory of 940	2820	sphinx_1.0.1.2.vir.exe	cmd.exe
PID 2820 wrote to memory of 940	2820	sphinx_1.0.1.2.vir.exe	cmd.exe
PID 1056 wrote to memory of 2792	1056	iruxe.exe	sihost.exe
PID 1056 wrote to memory of 2792	1056	iruxe.exe	sihost.exe
PID 1056 wrote to memory of 2792	1056	iruxe.exe	sihost.exe
PID 1056 wrote to memory of 2792	1056	iruxe.exe	sihost.exe
PID 1056 wrote to memory of 2792	1056	iruxe.exe	sihost.exe
PID 1056 wrote to memory of 2800	1056	iruxe.exe	svchost.exe
PID 1056 wrote to memory of 2800	1056	iruxe.exe	svchost.exe
PID 1056 wrote to memory of 2800	1056	iruxe.exe	svchost.exe
PID 1056 wrote to memory of 2800	1056	iruxe.exe	svchost.exe
PID 1056 wrote to memory of 2800	1056	iruxe.exe	svchost.exe
PID 1056 wrote to memory of 2852	1056	iruxe.exe	taskhostw.exe
PID 1056 wrote to memory of 2852	1056	iruxe.exe	taskhostw.exe
PID 1056 wrote to memory of 2852	1056	iruxe.exe	taskhostw.exe
PID 1056 wrote to memory of 2852	1056	iruxe.exe	taskhostw.exe
PID 1056 wrote to memory of 2852	1056	iruxe.exe	taskhostw.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

sphinx_1.0.1.2.vir.exesphinx_1.0.1.2.vir.exeiruxe.exe

description	pid	process	target process
PID 2532 set thread context of 2820	2532	sphinx_1.0.1.2.vir.exe	sphinx_1.0.1.2.vir.exe
PID 2820 set thread context of 3768	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 2820 set thread context of 3696	2820	sphinx_1.0.1.2.vir.exe	explorer.exe
PID 756 set thread context of 1056	756	iruxe.exe	iruxe.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2800

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2852

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.2.vir.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2532

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.2.vir.exe
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.2.vir.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2820

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3688

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" socksParentProxy=localhost:9050
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2216

C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe
"C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe"
4⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:756

C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4f493b54.bat"
4⤵
PID:940

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3156

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3408

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4f493b54.bat

Download Submit
C:\Users\Admin\AppData\Roaming\25-unhint-nonlatin.conf

Download Submit
C:\Users\Admin\AppData\Roaming\BatheUredosporeCosmology

Download Submit
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Buol\iruxe.exe

Download Submit
C:\Users\Admin\AppData\Roaming\OS Shortcuts.txt

Download Submit
C:\Users\Admin\AppData\Roaming\arrow_left_enabled.png

Download Submit
C:\Users\Admin\AppData\Roaming\nourishments.dll

Download Submit
C:\Users\Admin\AppData\Roaming\olduninstall.iss

Download Submit
C:\Users\Admin\AppData\Roaming\pcdrdvdminusrw.p5m

Download Submit
\Users\Admin\AppData\Local\Temp\nsi290C.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nsi69BE.tmp\System.dll

Download Submit
\Users\Admin\AppData\Roaming\nourishments.dll

Download Submit
\Users\Admin\AppData\Roaming\nourishments.dll

Download Submit
\Users\Admin\AppData\Roaming\nourishments.dll

Download Submit
\Users\Admin\AppData\Roaming\nourishments.dll

Download Submit
memory/756-375-0x0000000000000000-mapping.dmp

Download
memory/940-392-0x0000000000000000-mapping.dmp

Download
memory/1056-389-0x0000000000417DF5-mapping.dmp

Download
memory/2820-5-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/2820-4-0x0000000000417DF5-mapping.dmp

Download
memory/2820-3-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/3696-9-0x0000000000401130-mapping.dmp

Download
memory/3696-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3696-403-0x0000000000401130-mapping.dmp

Download
memory/3696-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3768-13-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3768-15-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3768-14-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/3768-326-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3768-12-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3768-194-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3768-10-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3768-195-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/3768-7-0x00000000007A34B0-mapping.dmp

Download
memory/3768-393-0x00000000007A34B0-mapping.dmp

Download
memory/3768-6-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3768-196-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads