c3f8265bfcc61ef328a8f776318d74e588873047f51e0dc8e445c1f6d4334f30

General

Target

sphinx_1.0.1.0.vir.exe
Size

1.5MB
MD5

36269d4e8402c65c5f46aef0313db9c3
SHA1

c884ba2f073a775a69d03f6342804c3c4f6abb5d
SHA256

c3f8265bfcc61ef328a8f776318d74e588873047f51e0dc8e445c1f6d4334f30
SHA512

13de42090c9829056466dc424c0d26b43fa48731b4fac7519f6e025f0599ba74c562eb389faf5c4422e13e313948d6c45fe1844a45f35b9fbc9c754eac7e40ea

Score

8^/10

upx persistence

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

sphinx_1.0.1.0.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy	sphinx_1.0.1.0.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	sphinx_1.0.1.0.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zehef.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\Currentversion\Run	zehef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6BB49FFC-5271-BE30-BADB-E77F76E37531} = "C:\\Users\\Admin\\AppData\\Roaming\\Doca\\zehef.exe"	zehef.exe

Suspicious behavior: EnumeratesProcesses 82 IoCs

Processes:

sphinx_1.0.1.0.vir.exeexplorer.exezehef.exeexplorer.execmd.exe

pid	process
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3352	explorer.exe
3352	explorer.exe
3352	explorer.exe
3352	explorer.exe
2292	zehef.exe
2292	zehef.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3844	sphinx_1.0.1.0.vir.exe
3352	explorer.exe
3352	explorer.exe
3352	explorer.exe
3352	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
2292	zehef.exe
2292	zehef.exe
2488	cmd.exe
2488	cmd.exe
2488	cmd.exe
2488	cmd.exe
2488	cmd.exe
2488	cmd.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe
2292	zehef.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

sphinx_1.0.1.0.vir.execmd.exe

description	pid	process
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeSecurityPrivilege	3844	sphinx_1.0.1.0.vir.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe
Token: SeDebugPrivilege	2488	cmd.exe

Suspicious use of WriteProcessMemory 118 IoCs

Processes:

sphinx_1.0.1.0.vir.exezehef.exe

description	pid	process	target process
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 wrote to memory of 2292	3844	sphinx_1.0.1.0.vir.exe	zehef.exe
PID 3844 wrote to memory of 2292	3844	sphinx_1.0.1.0.vir.exe	zehef.exe
PID 3844 wrote to memory of 2292	3844	sphinx_1.0.1.0.vir.exe	zehef.exe
PID 2292 wrote to memory of 2760	2292	zehef.exe	sihost.exe
PID 2292 wrote to memory of 2760	2292	zehef.exe	sihost.exe
PID 2292 wrote to memory of 2760	2292	zehef.exe	sihost.exe
PID 2292 wrote to memory of 2760	2292	zehef.exe	sihost.exe
PID 2292 wrote to memory of 2760	2292	zehef.exe	sihost.exe
PID 2292 wrote to memory of 2772	2292	zehef.exe	svchost.exe
PID 2292 wrote to memory of 2772	2292	zehef.exe	svchost.exe
PID 2292 wrote to memory of 2772	2292	zehef.exe	svchost.exe
PID 2292 wrote to memory of 2772	2292	zehef.exe	svchost.exe
PID 2292 wrote to memory of 2772	2292	zehef.exe	svchost.exe
PID 2292 wrote to memory of 2824	2292	zehef.exe	taskhostw.exe
PID 2292 wrote to memory of 2824	2292	zehef.exe	taskhostw.exe
PID 2292 wrote to memory of 2824	2292	zehef.exe	taskhostw.exe
PID 2292 wrote to memory of 2824	2292	zehef.exe	taskhostw.exe
PID 2292 wrote to memory of 2824	2292	zehef.exe	taskhostw.exe
PID 2292 wrote to memory of 2972	2292	zehef.exe	Explorer.EXE
PID 2292 wrote to memory of 2972	2292	zehef.exe	Explorer.EXE
PID 2292 wrote to memory of 2972	2292	zehef.exe	Explorer.EXE
PID 2292 wrote to memory of 2972	2292	zehef.exe	Explorer.EXE
PID 2292 wrote to memory of 2972	2292	zehef.exe	Explorer.EXE
PID 2292 wrote to memory of 3128	2292	zehef.exe	ShellExperienceHost.exe
PID 2292 wrote to memory of 3128	2292	zehef.exe	ShellExperienceHost.exe
PID 2292 wrote to memory of 3128	2292	zehef.exe	ShellExperienceHost.exe
PID 2292 wrote to memory of 3128	2292	zehef.exe	ShellExperienceHost.exe
PID 2292 wrote to memory of 3128	2292	zehef.exe	ShellExperienceHost.exe
PID 2292 wrote to memory of 3144	2292	zehef.exe	SearchUI.exe
PID 2292 wrote to memory of 3144	2292	zehef.exe	SearchUI.exe
PID 2292 wrote to memory of 3144	2292	zehef.exe	SearchUI.exe
PID 2292 wrote to memory of 3144	2292	zehef.exe	SearchUI.exe
PID 2292 wrote to memory of 3144	2292	zehef.exe	SearchUI.exe
PID 2292 wrote to memory of 3404	2292	zehef.exe	RuntimeBroker.exe
PID 2292 wrote to memory of 3404	2292	zehef.exe	RuntimeBroker.exe
PID 2292 wrote to memory of 3404	2292	zehef.exe	RuntimeBroker.exe
PID 2292 wrote to memory of 3404	2292	zehef.exe	RuntimeBroker.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

sphinx_1.0.1.0.vir.exe

description	pid	process	target process
PID 3844 set thread context of 3352	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 set thread context of 3828	3844	sphinx_1.0.1.0.vir.exe	explorer.exe
PID 3844 set thread context of 2488	3844	sphinx_1.0.1.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

zehef.exe

pid process

2292 zehef.exe

pid	process
2292	zehef.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3352-0-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3352-5-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3352-6-0x0000000000400000-0x00000000007A5000-memory.dmp	upx

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2772

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2824

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.1.0.vir.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3844

C:\Windows\SysWOw64\explorer.exe
"C:\Windows\SysWOw64\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3808

C:\Windows\SysWOw64\explorer.exe
"C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:9050
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3956

C:\Users\Admin\AppData\Roaming\Doca\zehef.exe
"C:\Users\Admin\AppData\Roaming\Doca\zehef.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc0b026fd.bat"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3908

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3128

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3668

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:652

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:1224

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc0b026fd.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Doca\zehef.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Doca\zehef.exe

Download Submit
memory/2292-354-0x0000000000000000-mapping.dmp

Download
memory/2488-378-0x0000000002A1481C-mapping.dmp

Download
memory/2488-377-0x0000000002A00000-0x0000000002B85000-memory.dmp

Filesize
1.5MB

Download
memory/3352-6-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3352-305-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-8-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/3352-9-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-145-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-188-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-189-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/3352-190-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-191-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-7-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-311-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3352-0-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3352-5-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3352-1-0x00000000007A34B0-mapping.dmp

Download
memory/3352-375-0x00000000007A34B0-mapping.dmp

Download
memory/3828-376-0x0000000000401130-mapping.dmp

Download
memory/3828-3-0x0000000000401130-mapping.dmp

Download
memory/3828-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3828-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads