550321da5b10c472bc719bca2c0df74b240f80eff828079eb5253598fe112ae3

Analysis

max time kernel
256s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sa-mp-0.3.7-R5-1-install.exe
Size

14.8MB
MD5

f7874cc8637e5ddb98b07ed40a24de58
SHA1

0a9eac60f516a8661b5b2ae9f1d5d798ee7fecef
SHA256

550321da5b10c472bc719bca2c0df74b240f80eff828079eb5253598fe112ae3
SHA512

c0e2078d8bd1d6aeb8d6cc77ea935e41fb31c271f6503a3625d2bcbebf9a8b142a1d7856816381fb4be79a45e1ea6dbe8cdb8efa027f29c32faf52794c49f2b1
SSDEEP

393216:suNmflaNtY7G8t+LdFyBV9DVimtbA9yRbABehQtAuGuSwcBk:3NklUt3Nd2VvimtbeGbbhQtWBk

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	556	svchost.exe
Token: SeShutdownPrivilege	4952	unregmp2.exe
Token: SeCreatePagefilePrivilege	4952	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1144	4132	wmplayer.exe	99
PID 4132 wrote to memory of 1144	4132	wmplayer.exe	99
PID 4132 wrote to memory of 1144	4132	wmplayer.exe	99
PID 4132 wrote to memory of 2060	4132	wmplayer.exe	100
PID 4132 wrote to memory of 2060	4132	wmplayer.exe	100
PID 4132 wrote to memory of 2060	4132	wmplayer.exe	100
PID 2060 wrote to memory of 4952	2060	unregmp2.exe	101
PID 2060 wrote to memory of 4952	2060	unregmp2.exe	101

C:\Users\Admin\AppData\Local\Temp\sa-mp-0.3.7-R5-1-install.exe
"C:\Users\Admin\AppData\Local\Temp\sa-mp-0.3.7-R5-1-install.exe"
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:1144
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d08262373fb3d7edb06680d281edd860

SHA1
4c49264a111007e444f36ee3752d34a85200295e

SHA256
e16be985f89ad36d5a0cf4b05691cc91254dcec36c1c57fcb80fb9bd8b3b5161

SHA512
d860bda2ef8a3dfdf1f46473d0e64a9cf7afebcf99642bf09f4317dd78e5a5e34fffb3a75053553aa4b769d9f623c60074c5570cf9de65380519085aad00f4e7

Download Submit
memory/556-133-0x00000250DDDA0000-0x00000250DDDB0000-memory.dmp

Filesize
64KB

Download
memory/556-132-0x00000250DDCA0000-0x00000250DDCB0000-memory.dmp

Filesize
64KB

Download