2bfe501031c14858507f0cc09a4312ca438b521f16fa83e90f93b067a929aaab

General

Target

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Size

2.3MB
MD5

921379bd587ab29da4dc23fb9d47fe36
SHA1

e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA256

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA512

90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VID001.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

VID001.exe

pid process

3660 VID001.exe

pid	process
3660	VID001.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1176-2-0x00000000022F0000-0x000000000337E000-memory.dmp	upx
behavioral1/memory/3660-11-0x0000000002290000-0x000000000331E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

VID001.exe

pid process

3660 VID001.exe
Drops startup file 1 IoCs

Processes:

VID001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe
Loads dropped DLL 2 IoCs

Processes:

VID001.exe

pid process

3660 VID001.exe
3660 VID001.exe

pid	process
3660	VID001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	VID001.exe

pid	process
3660	VID001.exe
3660	VID001.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VID001.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	VID001.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VID001.exe

description	ioc	process
File opened (read-only)	\??\O:	VID001.exe
File opened (read-only)	\??\E:	VID001.exe
File opened (read-only)	\??\F:	VID001.exe
File opened (read-only)	\??\G:	VID001.exe
File opened (read-only)	\??\I:	VID001.exe
File opened (read-only)	\??\K:	VID001.exe
File opened (read-only)	\??\L:	VID001.exe
File opened (read-only)	\??\N:	VID001.exe
File opened (read-only)	\??\H:	VID001.exe
File opened (read-only)	\??\J:	VID001.exe
File opened (read-only)	\??\M:	VID001.exe
File opened (read-only)	\??\P:	VID001.exe
File opened (read-only)	\??\Q:	VID001.exe

Drops file in Windows directory 1 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

pid	process
1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
3660	VID001.exe
3660	VID001.exe
3660	VID001.exe
3660	VID001.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	3660	VID001.exe
Token: SeDebugPrivilege	3660	VID001.exe
Token: SeDebugPrivilege	3660	VID001.exe
Token: SeDebugPrivilege	3660	VID001.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process	target process
PID 1176 wrote to memory of 704	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 1176 wrote to memory of 708	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 1176 wrote to memory of 952	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	dwm.exe
PID 1176 wrote to memory of 2324	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	sihost.exe
PID 1176 wrote to memory of 2332	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	svchost.exe
PID 1176 wrote to memory of 2452	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	taskhostw.exe
PID 1176 wrote to memory of 2984	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	Explorer.EXE
PID 1176 wrote to memory of 3200	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	ShellExperienceHost.exe
PID 1176 wrote to memory of 3212	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	SearchUI.exe
PID 1176 wrote to memory of 3436	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	RuntimeBroker.exe
PID 1176 wrote to memory of 3736	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	DllHost.exe
PID 1176 wrote to memory of 3660	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1176 wrote to memory of 3660	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1176 wrote to memory of 3660	1176	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 3660 wrote to memory of 704	3660	VID001.exe	fontdrvhost.exe
PID 3660 wrote to memory of 708	3660	VID001.exe	fontdrvhost.exe
PID 3660 wrote to memory of 952	3660	VID001.exe	dwm.exe
PID 3660 wrote to memory of 2324	3660	VID001.exe	sihost.exe
PID 3660 wrote to memory of 2332	3660	VID001.exe	svchost.exe
PID 3660 wrote to memory of 2452	3660	VID001.exe	taskhostw.exe
PID 3660 wrote to memory of 2984	3660	VID001.exe	Explorer.EXE
PID 3660 wrote to memory of 3200	3660	VID001.exe	ShellExperienceHost.exe
PID 3660 wrote to memory of 3212	3660	VID001.exe	SearchUI.exe
PID 3660 wrote to memory of 3436	3660	VID001.exe	RuntimeBroker.exe
PID 3660 wrote to memory of 3736	3660	VID001.exe	DllHost.exe
PID 3660 wrote to memory of 2780	3660	VID001.exe	DllHost.exe
PID 3660 wrote to memory of 704	3660	VID001.exe	fontdrvhost.exe
PID 3660 wrote to memory of 708	3660	VID001.exe	fontdrvhost.exe
PID 3660 wrote to memory of 952	3660	VID001.exe	dwm.exe
PID 3660 wrote to memory of 2324	3660	VID001.exe	sihost.exe
PID 3660 wrote to memory of 2332	3660	VID001.exe	svchost.exe
PID 3660 wrote to memory of 2452	3660	VID001.exe	taskhostw.exe
PID 3660 wrote to memory of 2984	3660	VID001.exe	Explorer.EXE
PID 3660 wrote to memory of 3200	3660	VID001.exe	ShellExperienceHost.exe
PID 3660 wrote to memory of 3212	3660	VID001.exe	SearchUI.exe
PID 3660 wrote to memory of 3436	3660	VID001.exe	RuntimeBroker.exe
PID 3660 wrote to memory of 3736	3660	VID001.exe	DllHost.exe
PID 3660 wrote to memory of 3952	3660	VID001.exe	backgroundTaskHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:704

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"
2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1176

C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3660

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3212

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2332

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2780

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

6

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
MD5
2915b3f8b703eb744fc54c81f4a9c67f

SHA1
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4

SHA256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

SHA512
84e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Windows\SYSTEM.INI
MD5
4ff1673719b6751e9cfee33b3fce780c

SHA1
3fc0077f91e782bf7bb2d099134ddc5c994b195f

SHA256
99c5e0f80dd204e02469571ccf428e26521d789c5b0dbe21fd670538807dfc0e

SHA512
12a8513c14559394f9d19627ac739bb75c069d198765e1f1089e0ad4ae7bd27a3e3df92b7e3d0d21c161d62772a7af905442d98c343e0410ceb9d84ccc88e983

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70A3.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70A3.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
memory/1176-2-0x00000000022F0000-0x000000000337E000-memory.dmp

Filesize
16.6MB

Download
memory/1176-3-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/1176-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3660-5-0x0000000000000000-mapping.dmp

Download
memory/3660-11-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/3660-13-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads