Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:53
General
-
Target
sphinx_1.0.0.0.vir.exe
-
Size
1.6MB
-
MD5
9f6d20d788c7cc43f05c30249cb743fa
-
SHA1
f94698dd370ff396d2203b0ce4f6c91c234d11ff
-
SHA256
18f150bc5cab780a4eaf35e198bb343497528b4095613ab48a8585c5caa937b5
-
SHA512
769a8fb1ceb96f52b73667093910f84d738155dbfe60abd90184cad8b3cd6b449f7040f7b3bf3fd825e5ddfacfb93590bb1fb98c03fb687da0d91283fb08df68
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of WriteProcessMemory 73 IoCs
-
Loads dropped DLL 2 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Executes dropped EXE 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
NTFS ADS 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe"4⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:90504⤵
-
C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe"C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe"C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpae5e31ac.bat"4⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- NTFS ADS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpae5e31ac.bat
-
C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe
-
C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe
-
C:\Users\Admin\AppData\Roaming\Pawupu\tedab.exe
-
\Users\Admin\AppData\Roaming\Pawupu\tedab.exe
-
\Users\Admin\AppData\Roaming\Pawupu\tedab.exe
-
memory/840-76-0x0000000000000000-mapping.dmp
-
memory/844-0-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/844-1-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/1176-10-0x0000000000000000-mapping.dmp
-
memory/1264-12-0x0000000000000000-mapping.dmp
-
memory/1296-4-0x0000000000000000-mapping.dmp
-
memory/1628-37-0x0000000003BB0000-0x0000000003BB2000-memory.dmpFilesize
8KB
-
memory/1628-42-0x0000000004380000-0x0000000004382000-memory.dmpFilesize
8KB
-
memory/1628-20-0x0000000003910000-0x0000000003B10000-memory.dmpFilesize
2.0MB
-
memory/1628-21-0x0000000003A10000-0x0000000003B10000-memory.dmpFilesize
1024KB
-
memory/1628-25-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1628-26-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/1628-27-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1628-28-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1628-29-0x0000000003F10000-0x0000000003F12000-memory.dmpFilesize
8KB
-
memory/1628-30-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1628-31-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/1628-32-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1628-33-0x0000000003BC0000-0x0000000003BC2000-memory.dmpFilesize
8KB
-
memory/1628-34-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1628-35-0x0000000003C60000-0x0000000003C62000-memory.dmpFilesize
8KB
-
memory/1628-36-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/1628-17-0x0000000003910000-0x0000000003B10000-memory.dmpFilesize
2.0MB
-
memory/1628-38-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1628-39-0x0000000003C00000-0x0000000003C02000-memory.dmpFilesize
8KB
-
memory/1628-40-0x0000000004360000-0x0000000004362000-memory.dmpFilesize
8KB
-
memory/1628-41-0x0000000004370000-0x0000000004372000-memory.dmpFilesize
8KB
-
memory/1628-19-0x0000000003910000-0x0000000003A10000-memory.dmpFilesize
1024KB
-
memory/1628-43-0x00000000044E0000-0x00000000044E2000-memory.dmpFilesize
8KB
-
memory/1628-44-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/1628-45-0x0000000004510000-0x0000000004512000-memory.dmpFilesize
8KB
-
memory/1628-46-0x00000000041B0000-0x00000000041B2000-memory.dmpFilesize
8KB
-
memory/1628-47-0x0000000004520000-0x0000000004522000-memory.dmpFilesize
8KB
-
memory/1628-48-0x00000000041A0000-0x00000000041A2000-memory.dmpFilesize
8KB
-
memory/1628-49-0x00000000045B0000-0x00000000045B2000-memory.dmpFilesize
8KB
-
memory/1628-50-0x0000000004190000-0x0000000004192000-memory.dmpFilesize
8KB
-
memory/1628-51-0x00000000045C0000-0x00000000045C2000-memory.dmpFilesize
8KB
-
memory/1628-52-0x0000000004180000-0x0000000004182000-memory.dmpFilesize
8KB
-
memory/1628-53-0x0000000004170000-0x0000000004172000-memory.dmpFilesize
8KB
-
memory/1628-54-0x0000000003C30000-0x0000000003C32000-memory.dmpFilesize
8KB
-
memory/1628-55-0x0000000003B70000-0x0000000003B72000-memory.dmpFilesize
8KB
-
memory/1628-56-0x0000000004BE0000-0x0000000004BE2000-memory.dmpFilesize
8KB
-
memory/1628-57-0x0000000004B50000-0x0000000004B52000-memory.dmpFilesize
8KB
-
memory/1628-58-0x0000000004B40000-0x0000000004B42000-memory.dmpFilesize
8KB
-
memory/1628-59-0x0000000004B30000-0x0000000004B32000-memory.dmpFilesize
8KB
-
memory/1628-60-0x0000000003910000-0x0000000003B10000-memory.dmpFilesize
2.0MB
-
memory/1628-61-0x0000000003A10000-0x0000000003B10000-memory.dmpFilesize
1024KB
-
memory/1628-62-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/1628-68-0x00000000023B0000-0x00000000023C0000-memory.dmpFilesize
64KB
-
memory/1628-15-0x0000000003910000-0x0000000003A10000-memory.dmpFilesize
1024KB