hxxps://github[.]com/InsaniumDev/amoogus/blob/main/Worm[.]32[.]Amog[.]us[.]exe

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/InsaniumDev/amoogus/blob/main/Worm.32.Amog.us.exe

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 709283.crdownload	disable_win_def
behavioral1/memory/2676-216-0x0000000000810000-0x000000000081C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Worm.32.Amog.us.exeWorm.32.Amog.us.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Worm.32.Amog.us.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Worm.32.Amog.us.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Worm.32.Amog.us.exeWorm.32.Amog.us.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Worm.32.Amog.us.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Worm.32.Amog.us.exe

Renames multiple (198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 raw.githubusercontent.com
19 raw.githubusercontent.com

flow	ioc
13	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Worm.32.Amog.us.exeWorm.32.Amog.us.exe

description	ioc	process
File created	C:\autorun.inf	Worm.32.Amog.us.exe
File created	F:\autorun.inf	Worm.32.Amog.us.exe
File opened for modification	C:\autorun.inf	Worm.32.Amog.us.exe
File opened for modification	F:\autorun.inf	Worm.32.Amog.us.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 6 IoCs

Processes:

msedge.exemsedge.exeWorm.32.Amog.us.exeWorm.32.Amog.us.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 709283.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Worm.32.Amog.us.exe:Zone.Identifier	msedge.exe
File created	C:\ZCHOWP.exe\:SmartScreen:$DATA	Worm.32.Amog.us.exe
File created	C:\ZCHOWP.exe\:Zone.Identifier:$DATA	Worm.32.Amog.us.exe
File created	C:\SEIPTQ.exe\:SmartScreen:$DATA	Worm.32.Amog.us.exe
File created	C:\SEIPTQ.exe\:Zone.Identifier:$DATA	Worm.32.Amog.us.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exemsedge.exe

pid	process
3584	msedge.exe
3584	msedge.exe
1932	msedge.exe
1932	msedge.exe
3460	msedge.exe
3460	msedge.exe
5084	msedge.exe
5084	msedge.exe
3016	identity_helper.exe
3016	identity_helper.exe
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
5544	powershell.exe
5544	powershell.exe
5544	powershell.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1932 msedge.exe
1932 msedge.exe
1932 msedge.exe
1932 msedge.exe
1932 msedge.exe
1932 msedge.exe
1932 msedge.exe

pid
4
4
4
4
4
660

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	5544	powershell.exe
Token: SeBackupPrivilege	5992	svchost.exe
Token: SeRestorePrivilege	5992	svchost.exe
Token: SeSecurityPrivilege	5992	svchost.exe
Token: SeTakeOwnershipPrivilege	5992	svchost.exe
Token: 35	5992	svchost.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1932 wrote to memory of 4176	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4176	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4600	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3584	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3584	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 452	1932	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/InsaniumDev/amoogus/blob/main/Worm.32.Amog.us.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef8683cb8,0x7ffef8683cc8,0x7ffef8683cd8
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
2⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:8
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
2⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11571135042181177766,10622783610750385518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3644 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3640

C:\Users\Admin\Pictures\Worm.32.Amog.us.exe
"C:\Users\Admin\Pictures\Worm.32.Amog.us.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies visibility of file extensions in Explorer
- Drops autorun.inf file
- NTFS ADS
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:3704

C:\Users\Admin\Pictures\Worm.32.Amog.us.exe
"C:\Users\Admin\Pictures\Worm.32.Amog.us.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies visibility of file extensions in Explorer
- Drops autorun.inf file
- NTFS ADS
PID:5472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f46e4442144587c214faf82b1e229d98

SHA1
bb11fc5510bc9b70ca13c77f3062e5bc6fc53570

SHA256
3af5126bfbecce69888140c3184d879aa2d3e0448fcc4d7a4f11b39347d8f6e6

SHA512
932db3ea3fe54e905e8123a93d457d44e0eb0171cac00a26fdb9f0046e0b4c3350109c390247adb4fcca45ad3fe74b9323700816025f19d09c214ca05b9d6bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cd6282960b5839c30907f88b0c7f3cfb

SHA1
67e5795ec5bbd702e00c6b0f27f499ee7fe043d7

SHA256
34d4c9c5ed696aa8c738973a52359668d257e436cc2c36b1ad7fa4836c1f853e

SHA512
91e16a720fed6db8bc558dc53e20656af9d5b7feddd112e8939e488919ef4c47d163c17575d8b0bebeae42bdd99afe3bb970f0deb68c8bd1089026758505a76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cfa6946c02b73dc04432a2bfb621c127

SHA1
29d4c7f8a18a12d5a32135fbb77e253c8138e20b

SHA256
79396e3d2606083c2b8c785b03c72139cd6fdc84db9d54f6079142385c159c5f

SHA512
94b4398cea2bb014a89bd6f8dbe5d1da0c3c9b4e0cf9fd18651d64e1db4efe4f82248bca3d198a222f993b7861c25c5478608fe7989811bda07cee7902a82882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4d019bddd9f1bebcbf2b4bd945409efa

SHA1
43d68bbc739ee3e9722d04e1b798ebf88f082ff8

SHA256
7c8fa657997b1b5ea629f38b8d5f2482caab1fb3ca964cd5a06d25cda7ce9241

SHA512
b280b3c1af8d8312e7b202c3bed2c22d4e22b8af7f5be323260eb39375be4b580e52138e842ddb52ad8f3ffab1e77a1853479714649d7b274e806137609747c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
06cb0a8b7478ec11933e2ac725fe1593

SHA1
2b4ee91ce2a8792534acbf8523ab43f6f0483bc1

SHA256
91e320fc0ef3ca22768c40131407c9bbd72acb2c6bde592aada3d405ad163f6c

SHA512
3b05c06e5ca81902408bb944080ba3f020e2c08777d510f9385abc735840d0b01abe9f5b391bddc8d32c004ab1cb11aa234ca731e9e772e69513d24358a1a98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d428.TMP
Filesize
1KB

MD5
2ae0317c278c20dedd4887783a7b84d2

SHA1
cb1dba1961fafee9bf2696e42f22a5ccf92eb259

SHA256
e7cf329f87b575d33234ecfdb6df99a4078b014a992724dd78c4565e4cf36370

SHA512
30a59fb991431a018f27afb7df0f7a1a685a2729e9b61882cac200c71371508552badffc1a2795613ae0d57efd49770dd41fcfc6f639ddea25cbcc5e4bedeb4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b71f65a8d59d287b41fd5c5843ef221a

SHA1
e31298051f188fd336e7dad9381b1aa2b9d72e0d

SHA256
cf0d3fc428fb7bfb76e8bdc540407d74f8f7a013ea82648df37e2ea9a4f6e2c6

SHA512
a61b41dfe96d066b1327dae0276ab0bf14bfe3c3656e98619a95ad407f2d40cbae79b4ac52a0f984ec55c9356543980f524ebcf143de187cc1339b58526f0cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c4330798cd5c23f0f9f8fea9c907c19e

SHA1
64170f3bd375bd9c9499132c3c3afd441e14e0ab

SHA256
cb5d8766711521d0fd76d6d1754cd94414181b315a6dd3f7ee3b1325713f5f3f

SHA512
4bb884f919fc9aa525a8e5a7413afc5f3e3c0f48d2d5c300f18424fc7daab31662228650fca816662d19b0421cd6d6117bb3617192993051f268a9402451be93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8ecefa13087e235bbca6a9e1bdee8b93

SHA1
db4486abd8d9646153969acfcf195376c655879c

SHA256
cb88e84799f051569970a4e1522fcb619416fc5f8add4d388411663e1ae94f16

SHA512
42b58fca49d4b3a577c8d2b37034298c88b7cba958d0428af841b03ac779a751b84459ac5f2d728f66275b0daa4d147e92fa9160aa2bf60e9c2dbc23477f2006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
fa56bea82f35fe4713a7b5ed9883ddda

SHA1
c6774fc10ecdd4d6b0db5733ddc756bf8cff9422

SHA256
1a525c076543426e3c9d30c571854e3ad623420f6d766f6d92a808d8a1f36102

SHA512
92ae520855d25ff6193f999fa1260e13a8a9f1b8312bdc5e8a65e45b0ebf8205ae902ab6bdba550aba8e71dd989b36ff1f9a611b2b624a046d69eb1fd58f35a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
67c8e50fdf82cfe8525a7ce12a0498a5

SHA1
a7a8888d8704202eaa918de5cae29fdd794cafe3

SHA256
f06f92cbfa88bfde518dff8801fc6c73e4cb85dfcb8b945b4e48db5d60bacfc1

SHA512
99af1aa80e0f85666b7e73b613e2c1e7429dd8e812a3e36742c7b78ace80a090a3f60034d241a0d934cf1b3bc525b67d8f6ffbb437bd37acdaf5a5a3a8e9cdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1vmnh2o.wiv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 709283.crdownload
Filesize
22KB

MD5
e0b4f808ddafcc12c5c302eb87ccb019

SHA1
0f800c01a19faf2a1fc383509add04888e139eb8

SHA256
e69e79ba06bc4d3cf8deb2183485f9c11151566bd8c369b075cb7cd45fdf18f7

SHA512
fc5d84075e37fc2e4256661d75011b8f1e0c372ba5ac502cbdfd80924ed613b838dcf0cb0ede8f10d29ae2e76e55224926c433092babf0ff288087276217d42b

Download Submit
C:\Users\Admin\Downloads\Worm.32.Amog.us.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\autorun.inf
Filesize
26B

MD5
4b6b384de6f09121cc7878aaadd2bc00

SHA1
e898d467825af0920782ce046f9fba4d94b53344

SHA256
ddd9c7ba6803eadbf34c2b9e0c8203c175d75e7da37e2faea32d38c03e8ffdfd

SHA512
8198e9143d66d9826b71865e58e9a2f50f8e545e1ee687ff11515298168bb7f4dc55865d88b350f76c696a6ad7525e2dc29e42ef5c897e81fa53c47a7ed472b4

Download Submit
F:\SEIPTQ.exe:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
\??\pipe\LOCAL\crashpad_1932_RQANYQTVZWNCGRUX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1164-241-0x0000000005740000-0x0000000005A97000-memory.dmp

Filesize
3.3MB

Download
memory/1164-261-0x00000000071A0000-0x00000000071AE000-memory.dmp

Filesize
56KB

Download
memory/1164-242-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/1164-243-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/1164-244-0x0000000006BE0000-0x0000000006C14000-memory.dmp

Filesize
208KB

Download
memory/1164-245-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download
memory/1164-254-0x0000000006C20000-0x0000000006C3E000-memory.dmp

Filesize
120KB

Download
memory/1164-255-0x0000000006C40000-0x0000000006CE4000-memory.dmp

Filesize
656KB

Download
memory/1164-257-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/1164-256-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1164-258-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/1164-259-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/1164-260-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/1164-232-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/1164-262-0x00000000071B0000-0x00000000071C5000-memory.dmp

Filesize
84KB

Download
memory/1164-263-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/1164-264-0x00000000072A0000-0x00000000072A8000-memory.dmp

Filesize
32KB

Download
memory/1164-231-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/1164-230-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/1164-229-0x0000000004E60000-0x000000000548A000-memory.dmp

Filesize
6.2MB

Download
memory/1164-228-0x0000000002430000-0x0000000002466000-memory.dmp

Filesize
216KB

Download
memory/2676-219-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/2676-218-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/2676-217-0x00000000058D0000-0x0000000005E76000-memory.dmp

Filesize
5.6MB

Download
memory/2676-216-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/5544-328-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download