Analysis

  • max time kernel
    131s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-09-2021 15:18

General

  • Target

    e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4.exe

  • Size

    79KB

  • MD5

    936593e1ba2e1fefc78389ed40ab9d9a

  • SHA1

    dce566c765b39bca870e374c7f973b432a633fb3

  • SHA256

    e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4

  • SHA512

    21d3f5f00be88041ee4839a776ed8e7428bcb1e8172d4c4f9af2a7b782c3f89fc4dd57402dbf77d24664b8a99d2d330dc8b231d9d7037564bbc9276c49633017

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4.exe
    "C:\Users\Admin\AppData\Local\Temp\e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4.exe"
    1⤵
      PID:636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 272
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1000
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:496
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        2⤵
          PID:1648
        • C:\Windows\SysWOW64\unregmp2.exe
          "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Windows\System32\unregmp2.exe
            "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
            3⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            PID:664

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads