c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42

General

Target

sphinx_1.0.2.0.vir.exe
Size

1.5MB
MD5

03daacbdcdd8b7a202fd3d4c56ca3bf4
SHA1

8625c393222f587074feee1af1c6e4807faea43f
SHA256

c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42
SHA512

775dcd98efc7d5f955734e65cd156b61f4740740746669305a4c9712d197564e016f77da5d6c5fab244e78eb9efb2df58266fcaf61e89c5e3ad6a3e2e4a4acaa

Score

8^/10

upx persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ocupu.exeocupu.exe

pid process

1656 ocupu.exe
2156 ocupu.exe

pid	process
1656	ocupu.exe
2156	ocupu.exe

Suspicious behavior: EnumeratesProcesses 66 IoCs

Processes:

ocupu.exeexplorer.exe

pid	process
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
3620	explorer.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe
2156	ocupu.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3620-23-0x0000000000400000-0x00000000007A5000-memory.dmp	upx
behavioral2/memory/3620-24-0x0000000000400000-0x00000000007A5000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sphinx_1.0.2.0.vir.exeocupu.exe

pid process

2040 sphinx_1.0.2.0.vir.exe
1656 ocupu.exe

pid	process
2040	sphinx_1.0.2.0.vir.exe
1656	ocupu.exe

Suspicious use of WriteProcessMemory 92 IoCs

Processes:

sphinx_1.0.2.0.vir.exesphinx_1.0.2.0.vir.exeocupu.exeocupu.exe

description	pid	process	target process
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 2040 wrote to memory of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 1172 wrote to memory of 1656	1172	sphinx_1.0.2.0.vir.exe	ocupu.exe
PID 1172 wrote to memory of 1656	1172	sphinx_1.0.2.0.vir.exe	ocupu.exe
PID 1172 wrote to memory of 1656	1172	sphinx_1.0.2.0.vir.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1656 wrote to memory of 2156	1656	ocupu.exe	ocupu.exe
PID 1172 wrote to memory of 2488	1172	sphinx_1.0.2.0.vir.exe	cmd.exe
PID 1172 wrote to memory of 2488	1172	sphinx_1.0.2.0.vir.exe	cmd.exe
PID 1172 wrote to memory of 2488	1172	sphinx_1.0.2.0.vir.exe	cmd.exe
PID 2156 wrote to memory of 2776	2156	ocupu.exe	sihost.exe
PID 2156 wrote to memory of 2776	2156	ocupu.exe	sihost.exe
PID 2156 wrote to memory of 2776	2156	ocupu.exe	sihost.exe
PID 2156 wrote to memory of 2776	2156	ocupu.exe	sihost.exe
PID 2156 wrote to memory of 2776	2156	ocupu.exe	sihost.exe
PID 2156 wrote to memory of 2792	2156	ocupu.exe	svchost.exe
PID 2156 wrote to memory of 2792	2156	ocupu.exe	svchost.exe
PID 2156 wrote to memory of 2792	2156	ocupu.exe	svchost.exe
PID 2156 wrote to memory of 2792	2156	ocupu.exe	svchost.exe
PID 2156 wrote to memory of 2792	2156	ocupu.exe	svchost.exe
PID 2156 wrote to memory of 2856	2156	ocupu.exe	taskhostw.exe
PID 2156 wrote to memory of 2856	2156	ocupu.exe	taskhostw.exe
PID 2156 wrote to memory of 2856	2156	ocupu.exe	taskhostw.exe
PID 2156 wrote to memory of 2856	2156	ocupu.exe	taskhostw.exe
PID 2156 wrote to memory of 2856	2156	ocupu.exe	taskhostw.exe
PID 2156 wrote to memory of 3004	2156	ocupu.exe	Explorer.EXE
PID 2156 wrote to memory of 3004	2156	ocupu.exe	Explorer.EXE
PID 2156 wrote to memory of 3004	2156	ocupu.exe	Explorer.EXE
PID 2156 wrote to memory of 3004	2156	ocupu.exe	Explorer.EXE
PID 2156 wrote to memory of 3004	2156	ocupu.exe	Explorer.EXE
PID 2156 wrote to memory of 3152	2156	ocupu.exe	ShellExperienceHost.exe
PID 2156 wrote to memory of 3152	2156	ocupu.exe	ShellExperienceHost.exe
PID 2156 wrote to memory of 3152	2156	ocupu.exe	ShellExperienceHost.exe
PID 2156 wrote to memory of 3152	2156	ocupu.exe	ShellExperienceHost.exe
PID 2156 wrote to memory of 3152	2156	ocupu.exe	ShellExperienceHost.exe
PID 2156 wrote to memory of 3164	2156	ocupu.exe	SearchUI.exe
PID 2156 wrote to memory of 3164	2156	ocupu.exe	SearchUI.exe
PID 2156 wrote to memory of 3164	2156	ocupu.exe	SearchUI.exe
PID 2156 wrote to memory of 3164	2156	ocupu.exe	SearchUI.exe
PID 2156 wrote to memory of 3164	2156	ocupu.exe	SearchUI.exe
PID 2156 wrote to memory of 3400	2156	ocupu.exe	RuntimeBroker.exe
PID 2156 wrote to memory of 3400	2156	ocupu.exe	RuntimeBroker.exe
PID 2156 wrote to memory of 3400	2156	ocupu.exe	RuntimeBroker.exe
PID 2156 wrote to memory of 3400	2156	ocupu.exe	RuntimeBroker.exe
PID 2156 wrote to memory of 3400	2156	ocupu.exe	RuntimeBroker.exe
PID 2156 wrote to memory of 3656	2156	ocupu.exe	DllHost.exe
PID 2156 wrote to memory of 3656	2156	ocupu.exe	DllHost.exe
PID 2156 wrote to memory of 3656	2156	ocupu.exe	DllHost.exe
PID 2156 wrote to memory of 3656	2156	ocupu.exe	DllHost.exe
PID 2156 wrote to memory of 3656	2156	ocupu.exe	DllHost.exe
PID 2156 wrote to memory of 2488	2156	ocupu.exe	cmd.exe
PID 2156 wrote to memory of 2488	2156	ocupu.exe	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

sphinx_1.0.2.0.vir.exeocupu.exe

description	pid	process	target process
PID 2040 set thread context of 1172	2040	sphinx_1.0.2.0.vir.exe	sphinx_1.0.2.0.vir.exe
PID 1656 set thread context of 2156	1656	ocupu.exe	ocupu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sphinx_1.0.2.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1172 sphinx_1.0.2.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1172	sphinx_1.0.2.0.vir.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ocupu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run	ocupu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\{230790DE-DEFF-D24E-314C-14E57A97A6D4} = "C:\\Users\\Admin\\AppData\\Roaming\\Ezni\\ocupu.exe"	ocupu.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2792

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2856

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2040

C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\sphinx_1.0.2.0.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe
"C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1656

C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe
"C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:2156

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" --SocksPort 9050 --ControlPort 9051 --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\shs" --HiddenServicePort "35894 127.0.0.1:35894"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3904

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe" socksParentProxy=localhost:9050
6⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp699049b2.bat"
4⤵
- Modifies Internet Explorer settings
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2616

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3152

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp699049b2.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ezni\ocupu.exe

Download Submit
memory/1172-5-0x00000000004190C4-mapping.dmp

Download
memory/1172-6-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1172-4-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1656-7-0x0000000000000000-mapping.dmp

Download
memory/1656-12-0x000000000069D000-0x00000000006A0000-memory.dmp

Filesize
12KB

Download
memory/1656-13-0x00000000006AE000-0x00000000006B3000-memory.dmp

Filesize
20KB

Download
memory/1656-14-0x00000000006BC000-0x00000000006BF000-memory.dmp

Filesize
12KB

Download
memory/2040-2-0x000000000070D000-0x0000000000710000-memory.dmp

Filesize
12KB

Download
memory/2040-3-0x000000000072D000-0x000000000072F000-memory.dmp

Filesize
8KB

Download
memory/2156-16-0x00000000004190C4-mapping.dmp

Download
memory/2488-20-0x0000000000000000-mapping.dmp

Download
memory/2488-19-0x0000000000000000-mapping.dmp

Download
memory/3620-27-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3620-23-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3620-24-0x0000000000400000-0x00000000007A5000-memory.dmp

Filesize
3.6MB

Download
memory/3620-22-0x0000000000000000-mapping.dmp

Download
memory/3620-28-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/3620-29-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3620-38-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3620-208-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3620-209-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/3620-210-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3892-25-0x0000000000000000-mapping.dmp

Download
memory/3892-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads