Overview

overview

8

Static

static

sphinx_1.0...ir.exe

windows7_x64

8

sphinx_1.0...ir.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sphinx_1.0.2.0.vir.exe

  • Size

    1.5MB

  • MD5

    03daacbdcdd8b7a202fd3d4c56ca3bf4

  • SHA1

    8625c393222f587074feee1af1c6e4807faea43f

  • SHA256

    c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42

  • SHA512

    775dcd98efc7d5f955734e65cd156b61f4740740746669305a4c9712d197564e016f77da5d6c5fab244e78eb9efb2df58266fcaf61e89c5e3ad6a3e2e4a4acaa

Score
8/10
upxpersistence

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 78 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1236
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1280
          • C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1124
            • C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe
              "C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              • Suspicious use of AdjustPrivilegeToken
              • Loads dropped DLL
              PID:1416
              • C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                "C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                • Suspicious use of SetThreadContext
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:280
                • C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                  "C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Adds Run key to start application
                  PID:272
                  • C:\Windows\SysWOW64\explorer.exe
                    "C:\Windows\SysWOW64\explorer.exe" --SocksPort 9050 --ControlPort 9051 --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\shs" --HiddenServicePort "33212 127.0.0.1:33212"
                    6⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1792
                  • C:\Windows\SysWOW64\explorer.exe
                    "C:\Windows\SysWOW64\explorer.exe" socksParentProxy=localhost:9050
                    6⤵
                      PID:1808
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp563b74c6.bat"
                  4⤵
                  • Modifies Internet Explorer settings
                  • Deletes itself
                  PID:1060
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "-89422237013662779201156095202-14048187971105583733-118048096610671447781554150222"
            1⤵
              PID:1836
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "837646631-1002634262-2019128416277052119874147609-1821738417-1437726271-708820428"
              1⤵
                PID:1380
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:1772
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:1472

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  2
                  T1112

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp563b74c6.bat
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                    Download Submit
                  • \Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                    Download Submit
                  • \Users\Admin\AppData\Roaming\Kieha\pyilc.exe
                    Download Submit
                  • memory/272-18-0x00000000004190C4-mapping.dmp
                    Download
                  • memory/280-11-0x0000000000000000-mapping.dmp
                    Download
                  • memory/280-15-0x000000000063A000-0x000000000063C000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1060-22-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1060-21-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1124-5-0x000000000072E000-0x000000000072F000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1124-2-0x000000000072A000-0x000000000072C000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1124-4-0x000000000072D000-0x000000000072E000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1124-3-0x000000000072C000-0x000000000072D000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1416-6-0x0000000000400000-0x0000000000577000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1416-7-0x00000000004190C4-mapping.dmp
                    Download
                  • memory/1416-8-0x0000000000400000-0x0000000000577000-memory.dmp
                    Filesize

                    1.5MB

                    Download
                  • memory/1792-24-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1792-25-0x0000000000400000-0x00000000007A5000-memory.dmp
                    Filesize

                    3.6MB

                    Download
                  • memory/1792-26-0x0000000000400000-0x00000000007A5000-memory.dmp
                    Filesize

                    3.6MB

                    Download
                  • memory/1792-29-0x0000000003070000-0x0000000003081000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1792-30-0x0000000003480000-0x0000000003491000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1792-31-0x0000000003070000-0x0000000003081000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1792-325-0x0000000003070000-0x0000000003081000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1792-326-0x0000000003480000-0x0000000003491000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1792-327-0x0000000003070000-0x0000000003081000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/1808-27-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1808-28-0x0000000000400000-0x000000000043A000-memory.dmp
                    Filesize

                    232KB

                    Download