Analysis
-
max time kernel
21s -
max time network
18s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:27
Static task
static1
Behavioral task
behavioral1
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
General
-
Target
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
-
Size
2.3MB
-
MD5
921379bd587ab29da4dc23fb9d47fe36
-
SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038
-
SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
-
SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" VID001.exe -
Executes dropped EXE 1 IoCs
Processes:
VID001.exepid process 3660 VID001.exe -
Processes:
resource yara_rule behavioral1/memory/1176-2-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral1/memory/3660-11-0x0000000002290000-0x000000000331E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
VID001.exepid process 3660 VID001.exe -
Drops startup file 1 IoCs
Processes:
VID001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe -
Loads dropped DLL 2 IoCs
Processes:
VID001.exepid process 3660 VID001.exe 3660 VID001.exe -
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" VID001.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VID001.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run VID001.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ VID001.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run VID001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ VID001.exe -
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VID001.exedescription ioc process File opened (read-only) \??\O: VID001.exe File opened (read-only) \??\E: VID001.exe File opened (read-only) \??\F: VID001.exe File opened (read-only) \??\G: VID001.exe File opened (read-only) \??\I: VID001.exe File opened (read-only) \??\K: VID001.exe File opened (read-only) \??\L: VID001.exe File opened (read-only) \??\N: VID001.exe File opened (read-only) \??\H: VID001.exe File opened (read-only) \??\J: VID001.exe File opened (read-only) \??\M: VID001.exe File opened (read-only) \??\P: VID001.exe File opened (read-only) \??\Q: VID001.exe -
Drops file in Windows directory 1 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exepid process 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 3660 VID001.exe 3660 VID001.exe 3660 VID001.exe 3660 VID001.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 3660 VID001.exe Token: SeDebugPrivilege 3660 VID001.exe Token: SeDebugPrivilege 3660 VID001.exe Token: SeDebugPrivilege 3660 VID001.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process target process PID 1176 wrote to memory of 704 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 1176 wrote to memory of 708 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 1176 wrote to memory of 952 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe dwm.exe PID 1176 wrote to memory of 2324 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe sihost.exe PID 1176 wrote to memory of 2332 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe svchost.exe PID 1176 wrote to memory of 2452 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe taskhostw.exe PID 1176 wrote to memory of 2984 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Explorer.EXE PID 1176 wrote to memory of 3200 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe ShellExperienceHost.exe PID 1176 wrote to memory of 3212 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe SearchUI.exe PID 1176 wrote to memory of 3436 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe RuntimeBroker.exe PID 1176 wrote to memory of 3736 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe DllHost.exe PID 1176 wrote to memory of 3660 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 1176 wrote to memory of 3660 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 1176 wrote to memory of 3660 1176 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 3660 wrote to memory of 704 3660 VID001.exe fontdrvhost.exe PID 3660 wrote to memory of 708 3660 VID001.exe fontdrvhost.exe PID 3660 wrote to memory of 952 3660 VID001.exe dwm.exe PID 3660 wrote to memory of 2324 3660 VID001.exe sihost.exe PID 3660 wrote to memory of 2332 3660 VID001.exe svchost.exe PID 3660 wrote to memory of 2452 3660 VID001.exe taskhostw.exe PID 3660 wrote to memory of 2984 3660 VID001.exe Explorer.EXE PID 3660 wrote to memory of 3200 3660 VID001.exe ShellExperienceHost.exe PID 3660 wrote to memory of 3212 3660 VID001.exe SearchUI.exe PID 3660 wrote to memory of 3436 3660 VID001.exe RuntimeBroker.exe PID 3660 wrote to memory of 3736 3660 VID001.exe DllHost.exe PID 3660 wrote to memory of 2780 3660 VID001.exe DllHost.exe PID 3660 wrote to memory of 704 3660 VID001.exe fontdrvhost.exe PID 3660 wrote to memory of 708 3660 VID001.exe fontdrvhost.exe PID 3660 wrote to memory of 952 3660 VID001.exe dwm.exe PID 3660 wrote to memory of 2324 3660 VID001.exe sihost.exe PID 3660 wrote to memory of 2332 3660 VID001.exe svchost.exe PID 3660 wrote to memory of 2452 3660 VID001.exe taskhostw.exe PID 3660 wrote to memory of 2984 3660 VID001.exe Explorer.EXE PID 3660 wrote to memory of 3200 3660 VID001.exe ShellExperienceHost.exe PID 3660 wrote to memory of 3212 3660 VID001.exe SearchUI.exe PID 3660 wrote to memory of 3436 3660 VID001.exe RuntimeBroker.exe PID 3660 wrote to memory of 3736 3660 VID001.exe DllHost.exe PID 3660 wrote to memory of 3952 3660 VID001.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F7465D4_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeMD5
2915b3f8b703eb744fc54c81f4a9c67f
SHA1e10361a11f8a7f232ac3cb2125c1875a0a69a3e4
SHA2569f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
SHA51284e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Windows\SYSTEM.INIMD5
4ff1673719b6751e9cfee33b3fce780c
SHA13fc0077f91e782bf7bb2d099134ddc5c994b195f
SHA25699c5e0f80dd204e02469571ccf428e26521d789c5b0dbe21fd670538807dfc0e
SHA51212a8513c14559394f9d19627ac739bb75c069d198765e1f1089e0ad4ae7bd27a3e3df92b7e3d0d21c161d62772a7af905442d98c343e0410ceb9d84ccc88e983
-
\Users\Admin\AppData\Local\Temp\nsm70A3.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
\Users\Admin\AppData\Local\Temp\nsm70A3.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
memory/1176-2-0x00000000022F0000-0x000000000337E000-memory.dmpFilesize
16.6MB
-
memory/1176-3-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB
-
memory/1176-4-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/3660-5-0x0000000000000000-mapping.dmp
-
memory/3660-11-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/3660-13-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB