Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:35
General
-
Target
sphinx_1.0.1.0.vir.exe
-
Size
1.5MB
-
MD5
36269d4e8402c65c5f46aef0313db9c3
-
SHA1
c884ba2f073a775a69d03f6342804c3c4f6abb5d
-
SHA256
c3f8265bfcc61ef328a8f776318d74e588873047f51e0dc8e445c1f6d4334f30
-
SHA512
13de42090c9829056466dc424c0d26b43fa48731b4fac7519f6e025f0599ba74c562eb389faf5c4422e13e313948d6c45fe1844a45f35b9fbc9c754eac7e40ea
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 90 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
NTFS ADS 1 IoCs
-
Deletes itself 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:90503⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Vimo\ymmok.exe"C:\Users\Admin\AppData\Roaming\Vimo\ymmok.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9e7f9409.bat"3⤵
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2064218124-237057423242341038-6147190786954622353041733944313797711361080805"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1939967539-1712629218-15445506331632165210-12037201269703356911501973160902792306"1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SendNotifyMessage
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9e7f9409.bat
-
C:\Users\Admin\AppData\Roaming\Vimo\ymmok.exe
-
C:\Users\Admin\AppData\Roaming\Vimo\ymmok.exe
-
\Users\Admin\AppData\Roaming\Vimo\ymmok.exe
-
\Users\Admin\AppData\Roaming\Vimo\ymmok.exe
-
memory/1076-324-0x0000000000000000-mapping.dmp
-
memory/1420-301-0x0000000003140000-0x0000000003151000-memory.dmpFilesize
68KB
-
memory/1420-3-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/1420-8-0x0000000003550000-0x0000000003561000-memory.dmpFilesize
68KB
-
memory/1420-9-0x0000000003140000-0x0000000003151000-memory.dmpFilesize
68KB
-
memory/1420-406-0x00000000007A34B0-mapping.dmp
-
memory/1420-302-0x0000000003550000-0x0000000003561000-memory.dmpFilesize
68KB
-
memory/1420-303-0x0000000003140000-0x0000000003151000-memory.dmpFilesize
68KB
-
memory/1420-0-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/1420-1-0x00000000007A34B0-mapping.dmp
-
memory/1420-2-0x0000000000400000-0x00000000007A5000-memory.dmpFilesize
3.6MB
-
memory/1420-7-0x0000000003140000-0x0000000003151000-memory.dmpFilesize
68KB
-
memory/1444-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1444-5-0x0000000000401130-mapping.dmp
-
memory/1444-447-0x0000000000401130-mapping.dmp
-
memory/1444-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1640-409-0x0000000003F30000-0x0000000003F32000-memory.dmpFilesize
8KB
-
memory/1640-418-0x00000000045B0000-0x00000000045B2000-memory.dmpFilesize
8KB
-
memory/1640-399-0x0000000002550000-0x0000000002552000-memory.dmpFilesize
8KB
-
memory/1640-400-0x0000000002570000-0x0000000002572000-memory.dmpFilesize
8KB
-
memory/1640-401-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/1640-402-0x0000000002570000-0x0000000002572000-memory.dmpFilesize
8KB
-
memory/1640-403-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/1640-404-0x0000000003F00000-0x0000000003F02000-memory.dmpFilesize
8KB
-
memory/1640-405-0x0000000003F20000-0x0000000003F22000-memory.dmpFilesize
8KB
-
memory/1640-394-0x0000000003980000-0x0000000003B80000-memory.dmpFilesize
2.0MB
-
memory/1640-407-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/1640-393-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1640-408-0x0000000003F20000-0x0000000003F22000-memory.dmpFilesize
8KB
-
memory/1640-410-0x00000000041C0000-0x00000000041C2000-memory.dmpFilesize
8KB
-
memory/1640-411-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/1640-412-0x00000000041F0000-0x00000000041F2000-memory.dmpFilesize
8KB
-
memory/1640-413-0x0000000004290000-0x0000000004292000-memory.dmpFilesize
8KB
-
memory/1640-414-0x00000000042A0000-0x00000000042A2000-memory.dmpFilesize
8KB
-
memory/1640-415-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/1640-416-0x0000000004580000-0x0000000004582000-memory.dmpFilesize
8KB
-
memory/1640-417-0x00000000045A0000-0x00000000045A2000-memory.dmpFilesize
8KB
-
memory/1640-395-0x0000000003A80000-0x0000000003B80000-memory.dmpFilesize
1024KB
-
memory/1640-419-0x00000000045C0000-0x00000000045C2000-memory.dmpFilesize
8KB
-
memory/1640-420-0x00000000045D0000-0x00000000045D2000-memory.dmpFilesize
8KB
-
memory/1640-421-0x00000000045F0000-0x00000000045F2000-memory.dmpFilesize
8KB
-
memory/1640-422-0x0000000004620000-0x0000000004622000-memory.dmpFilesize
8KB
-
memory/1640-423-0x0000000004AB0000-0x0000000004AB2000-memory.dmpFilesize
8KB
-
memory/1640-424-0x0000000004B60000-0x0000000004B62000-memory.dmpFilesize
8KB
-
memory/1640-425-0x0000000004BF0000-0x0000000004BF2000-memory.dmpFilesize
8KB
-
memory/1640-426-0x0000000003CC0000-0x0000000003CC2000-memory.dmpFilesize
8KB
-
memory/1640-427-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/1640-428-0x00000000044E0000-0x00000000044E2000-memory.dmpFilesize
8KB
-
memory/1640-429-0x00000000044F0000-0x00000000044F2000-memory.dmpFilesize
8KB
-
memory/1640-430-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/1640-431-0x0000000004510000-0x0000000004512000-memory.dmpFilesize
8KB
-
memory/1640-432-0x0000000004520000-0x0000000004522000-memory.dmpFilesize
8KB
-
memory/1640-433-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1640-435-0x00000000024C0000-0x00000000024D0000-memory.dmpFilesize
64KB
-
memory/1640-441-0x0000000001E90000-0x0000000001EA0000-memory.dmpFilesize
64KB
-
memory/1640-391-0x0000000003980000-0x0000000003B80000-memory.dmpFilesize
2.0MB
-
memory/1640-389-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1828-449-0x00000000000A481C-mapping.dmp
-
memory/1828-448-0x0000000000090000-0x0000000000215000-memory.dmpFilesize
1.5MB