cc2dcb15239fa588530a6915ea70b89b07db978720c0f8687330ca6367292f03

Analysis

max time kernel
82s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
27/12/2022, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e8f96bf2ef18a3c9374d87f970457fb5926dc8ab71056cad86202c0cb02798e.mp4
Size

125.2MB
MD5

5b617b3142235c213c791fd69a0afca2
SHA1

8c95d588f40ed83054a93ff3815de08631d6fe00
SHA256

cc2dcb15239fa588530a6915ea70b89b07db978720c0f8687330ca6367292f03
SHA512

89f08b472b171ba1738743190b00187f70705d1497fb8a736f8444710bb62906bb0a9ddea6758d04baedff2f96a464a2737871935cc33b6e9209520a9c0425e4
SSDEEP

3145728:wXc4Sh+bBronHuvdb+zm850Dn+j0sULufevgyi:Ox5donHuv4zQqj5ULumvgyi

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	unregmp2.exe
Token: SeCreatePagefilePrivilege	3408	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4468	4700	wmplayer.exe	81
PID 4700 wrote to memory of 4468	4700	wmplayer.exe	81
PID 4700 wrote to memory of 4468	4700	wmplayer.exe	81
PID 4700 wrote to memory of 4940	4700	wmplayer.exe	82
PID 4700 wrote to memory of 4940	4700	wmplayer.exe	82
PID 4700 wrote to memory of 4940	4700	wmplayer.exe	82
PID 4940 wrote to memory of 3408	4940	unregmp2.exe	83
PID 4940 wrote to memory of 3408	4940	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\0e8f96bf2ef18a3c9374d87f970457fb5926dc8ab71056cad86202c0cb02798e.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\0e8f96bf2ef18a3c9374d87f970457fb5926dc8ab71056cad86202c0cb02798e.mp4"
  2⤵
  PID:4468
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
f025e64c6033ba5bb5ce152bcbd056f8

SHA1
3971d8704a7281f5850f5654e411d329e9258f8a

SHA256
831ce19dc2cd92e408ce2995995c345b1b7b6bacd3fe5e6248e43e81ce819f4f

SHA512
0b30522fa1edf1fc9b4c62b3cabd332acea9570a5161aa531995b1cd6b3f062ad2c621048d60965af142a11a96713ffb1eec012c438e913196ff46e9fc25e3f6

Download Submit