Overview

overview

8

Static

static

sphinx_1.0...ir.exe

windows7_x64

8

sphinx_1.0...ir.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    19-07-2020 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sphinx_1.0.0.0.vir.exe

  • Size

    1.6MB

  • MD5

    9f6d20d788c7cc43f05c30249cb743fa

  • SHA1

    f94698dd370ff396d2203b0ce4f6c91c234d11ff

  • SHA256

    18f150bc5cab780a4eaf35e198bb343497528b4095613ab48a8585c5caa937b5

  • SHA512

    769a8fb1ceb96f52b73667093910f84d738155dbfe60abd90184cad8b3cd6b449f7040f7b3bf3fd825e5ddfacfb93590bb1fb98c03fb687da0d91283fb08df68

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of WriteProcessMemory 128 IoCs
  • Program crash 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Executes dropped EXE 2 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2792
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
      1⤵
        PID:2800
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2852
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3008
            • C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe
              "C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              • Suspicious use of SetWindowsHookEx
              PID:2532
              • C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe
                "C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.0.0.vir.exe"
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetThreadContext
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2812
                • C:\Windows\SysWOw64\explorer.exe
                  "C:\Windows\SysWOw64\explorer.exe"
                  4⤵
                    PID:3196
                  • C:\Windows\SysWOw64\explorer.exe
                    "C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:9050
                    4⤵
                      PID:3616
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        5⤵
                          PID:3744
                      • C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
                        "C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • Suspicious use of SetWindowsHookEx
                        • Executes dropped EXE
                        PID:3656
                        • C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
                          "C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe"
                          5⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          • Adds Run key to start application
                          • Executes dropped EXE
                          PID:2252
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 276
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious behavior: EnumeratesProcesses
                          • Program crash
                          PID:4004
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5c8d58a4.bat"
                        4⤵
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1304
                • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                  "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                  1⤵
                    PID:3156
                  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                    1⤵
                      PID:3168
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3408
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                        1⤵
                          PID:3736
                        • C:\Program Files\Windows Mail\WinMail.exe
                          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
                          1⤵
                            PID:756

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Registry Run Keys / Startup Folder

                          1
                          T1060

                          Privilege Escalation

                          Defense Evasion

                          Modify Registry

                          2
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\tmp5c8d58a4.bat
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Yldyi\ywok.exe
                            Download Submit
                          • memory/1304-24-0x0000000002B1DEF3-mapping.dmp
                            Download
                          • memory/1304-23-0x0000000002B00000-0x0000000002C85000-memory.dmp
                            Filesize

                            1.5MB

                            Download
                          • memory/2812-1-0x0000000000400000-0x0000000000585000-memory.dmp
                            Filesize

                            1.5MB

                            Download
                          • memory/2812-0-0x0000000000400000-0x0000000000585000-memory.dmp
                            Filesize

                            1.5MB

                            Download
                          • memory/2812-11-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3196-21-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3616-4-0x0000000000400000-0x000000000043A000-memory.dmp
                            Filesize

                            232KB

                            Download
                          • memory/3616-22-0x0000000000401130-mapping.dmp
                            Download
                          • memory/3616-3-0x0000000000401130-mapping.dmp
                            Download
                          • memory/3616-2-0x0000000000400000-0x000000000043A000-memory.dmp
                            Filesize

                            232KB

                            Download
                          • memory/3656-15-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3656-5-0x0000000000000000-mapping.dmp
                            Download
                          • memory/4004-13-0x0000000004820000-0x0000000004821000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/4004-16-0x0000000004C60000-0x0000000004C61000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/4004-12-0x0000000004820000-0x0000000004821000-memory.dmp
                            Filesize

                            4KB

                            Download