Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:53
Static task
static1
Behavioral task
behavioral1
Sample
sphinx_1.0.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sphinx_1.0.0.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
sphinx_1.0.0.0.vir.exe
-
Size
1.6MB
-
MD5
9f6d20d788c7cc43f05c30249cb743fa
-
SHA1
f94698dd370ff396d2203b0ce4f6c91c234d11ff
-
SHA256
18f150bc5cab780a4eaf35e198bb343497528b4095613ab48a8585c5caa937b5
-
SHA512
769a8fb1ceb96f52b73667093910f84d738155dbfe60abd90184cad8b3cd6b449f7040f7b3bf3fd825e5ddfacfb93590bb1fb98c03fb687da0d91283fb08df68
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
sphinx_1.0.0.0.vir.exeWerFault.execmd.exedescription pid process Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeDebugPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeSecurityPrivilege 2812 sphinx_1.0.0.0.vir.exe Token: SeRestorePrivilege 4004 WerFault.exe Token: SeBackupPrivilege 4004 WerFault.exe Token: SeDebugPrivilege 4004 WerFault.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe Token: SeDebugPrivilege 1304 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sphinx_1.0.0.0.vir.exedescription pid process target process PID 2812 set thread context of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 set thread context of 1304 2812 sphinx_1.0.0.0.vir.exe cmd.exe -
Processes:
sphinx_1.0.0.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy sphinx_1.0.0.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" sphinx_1.0.0.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
sphinx_1.0.0.0.vir.exesphinx_1.0.0.0.vir.exeywok.exeywok.exeWerFault.execmd.exepid process 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 2812 sphinx_1.0.0.0.vir.exe 2812 sphinx_1.0.0.0.vir.exe 3656 ywok.exe 3656 ywok.exe 3656 ywok.exe 3656 ywok.exe 3656 ywok.exe 3656 ywok.exe 2252 ywok.exe 2252 ywok.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 2252 ywok.exe 2252 ywok.exe 1304 cmd.exe 1304 cmd.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe 2252 ywok.exe -
Suspicious use of WriteProcessMemory 128 IoCs
Processes:
sphinx_1.0.0.0.vir.exesphinx_1.0.0.0.vir.exeywok.exeywok.exedescription pid process target process PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2532 wrote to memory of 2812 2532 sphinx_1.0.0.0.vir.exe sphinx_1.0.0.0.vir.exe PID 2812 wrote to memory of 3196 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3196 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3196 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3616 2812 sphinx_1.0.0.0.vir.exe explorer.exe PID 2812 wrote to memory of 3656 2812 sphinx_1.0.0.0.vir.exe ywok.exe PID 2812 wrote to memory of 3656 2812 sphinx_1.0.0.0.vir.exe ywok.exe PID 2812 wrote to memory of 3656 2812 sphinx_1.0.0.0.vir.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 3656 wrote to memory of 2252 3656 ywok.exe ywok.exe PID 2252 wrote to memory of 2792 2252 ywok.exe sihost.exe PID 2252 wrote to memory of 2792 2252 ywok.exe sihost.exe PID 2252 wrote to memory of 2792 2252 ywok.exe sihost.exe PID 2252 wrote to memory of 2792 2252 ywok.exe sihost.exe PID 2252 wrote to memory of 2792 2252 ywok.exe sihost.exe PID 2252 wrote to memory of 2800 2252 ywok.exe svchost.exe PID 2252 wrote to memory of 2800 2252 ywok.exe svchost.exe PID 2252 wrote to memory of 2800 2252 ywok.exe svchost.exe PID 2252 wrote to memory of 2800 2252 ywok.exe svchost.exe PID 2252 wrote to memory of 2800 2252 ywok.exe svchost.exe PID 2252 wrote to memory of 2852 2252 ywok.exe taskhostw.exe PID 2252 wrote to memory of 2852 2252 ywok.exe taskhostw.exe PID 2252 wrote to memory of 2852 2252 ywok.exe taskhostw.exe PID 2252 wrote to memory of 2852 2252 ywok.exe taskhostw.exe PID 2252 wrote to memory of 2852 2252 ywok.exe taskhostw.exe PID 2252 wrote to memory of 3008 2252 ywok.exe Explorer.EXE PID 2252 wrote to memory of 3008 2252 ywok.exe Explorer.EXE PID 2252 wrote to memory of 3008 2252 ywok.exe Explorer.EXE PID 2252 wrote to memory of 3008 2252 ywok.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4004 3656 WerFault.exe ywok.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ywok.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run ywok.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{348770B0-F6B7-8412-B6BB-AE4EF91B6C4C} = "C:\\Users\\Admin\\AppData\\Roaming\\Yldyi\\ywok.exe" ywok.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
sphinx_1.0.0.0.vir.exeywok.exepid process 2532 sphinx_1.0.0.0.vir.exe 2532 sphinx_1.0.0.0.vir.exe 3656 ywok.exe 3656 ywok.exe -
Executes dropped EXE 2 IoCs
Processes:
ywok.exeywok.exepid process 3656 ywok.exe 2252 ywok.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe"4⤵
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:90504⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2765⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5c8d58a4.bat"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5c8d58a4.bat
-
C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
-
C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
-
C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
-
memory/1304-24-0x0000000002B1DEF3-mapping.dmp
-
memory/1304-23-0x0000000002B00000-0x0000000002C85000-memory.dmpFilesize
1.5MB
-
memory/2812-1-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/2812-0-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/2812-11-0x0000000000000000-mapping.dmp
-
memory/3196-21-0x0000000000000000-mapping.dmp
-
memory/3616-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3616-22-0x0000000000401130-mapping.dmp
-
memory/3616-3-0x0000000000401130-mapping.dmp
-
memory/3616-2-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3656-15-0x0000000000000000-mapping.dmp
-
memory/3656-5-0x0000000000000000-mapping.dmp
-
memory/4004-13-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/4004-16-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4004-12-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB