144a2999510b03049189c96d9e437545cb1e5173b65d593d5f67e672242d51b6

Analysis

max time kernel
165s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The Meows Cats's song #20.mp3
Size

8.6MB
MD5

579f9c3848fa1b8a9754e04451fa0fd0
SHA1

79ee80b3b16f7195ebe160b86edc3aa9401cfd44
SHA256

144a2999510b03049189c96d9e437545cb1e5173b65d593d5f67e672242d51b6
SHA512

55ec7a741a2f5683c7d9385641c49c84ef3bcd1f7e0234b7d24c7495f64801a7b071f3509cbb5865ba3be584a017061137dcec7af7e6e44f10d823b0109ff7e3
SSDEEP

196608:4EE8DvCx3Gr0r1Ok+CKA5pckQJbaL4GmMiTC:R8xI7kDBqJb6poC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	876	unregmp2.exe
Token: SeCreatePagefilePrivilege	876	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3900	4972	wmplayer.exe	79
PID 4972 wrote to memory of 3900	4972	wmplayer.exe	79
PID 4972 wrote to memory of 3900	4972	wmplayer.exe	79
PID 4972 wrote to memory of 3536	4972	wmplayer.exe	80
PID 4972 wrote to memory of 3536	4972	wmplayer.exe	80
PID 4972 wrote to memory of 3536	4972	wmplayer.exe	80
PID 3536 wrote to memory of 876	3536	unregmp2.exe	81
PID 3536 wrote to memory of 876	3536	unregmp2.exe	81

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\The Meows Cats's song #20.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\The Meows Cats's song #20.mp3"
  2⤵
  PID:3900
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c053edbe5c6358d44c69517b532a8f6f

SHA1
429c1466e3cd450130d513d40face9d648661dfd

SHA256
4f27191786081c2e22c69c2b60a1d639f3b69a8e2657a2b4e611bf6f2eae834e

SHA512
024ece00d05ec575ea0db0f16f196c5d004ee8b219b692a4ce83bab97eabe101f57fdc2c54df7f15e7dbc8b895dc195cf3c0f22f18d9ac3bfd64a52176305edb

Download Submit