6465ecaa6c7316a0640897cd3ac75a3cb01e2b9fbf039262ba1fb3d352cd6d10

Resubmissions

04/02/2023, 07:39

230204-jgz9qacg89 6

Analysis

max time kernel
101s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2023, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WhatsApp Video 2023-02-04 at 00.50.39.mp4
Size

5.5MB
MD5

ae7a1e58054d61d02d3a690c8e36e835
SHA1

2a144fbcd7bb525913c2637f15da589ea1006eee
SHA256

6465ecaa6c7316a0640897cd3ac75a3cb01e2b9fbf039262ba1fb3d352cd6d10
SHA512

b61eb5ca6af3b772fb83948699ce13f6853a58ff428ab1c67cbad7f61797611d72f55c76f912ac92a4944e3283c23d9fbc16722c7a5361564a6d5a086c1a8c7e
SSDEEP

98304:YPAftABLDdKapUuUIopDx9SErGerzKcA3V2aKmm6m/bRWB2QI4p69gbJcBJ:nCcapsIsnhrJzywaxJKgfhp/af

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1336	unregmp2.exe
Token: SeCreatePagefilePrivilege	1336	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2036	5072	wmplayer.exe	82
PID 5072 wrote to memory of 2036	5072	wmplayer.exe	82
PID 5072 wrote to memory of 2036	5072	wmplayer.exe	82
PID 5072 wrote to memory of 4052	5072	wmplayer.exe	83
PID 5072 wrote to memory of 4052	5072	wmplayer.exe	83
PID 5072 wrote to memory of 4052	5072	wmplayer.exe	83
PID 4052 wrote to memory of 1336	4052	unregmp2.exe	84
PID 4052 wrote to memory of 1336	4052	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\WhatsApp Video 2023-02-04 at 00.50.39.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\WhatsApp Video 2023-02-04 at 00.50.39.mp4"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c173ac3dc5fb04920ab0d1662427470b

SHA1
012a4ce9edd712eb4e77117dec6c66cbf01a12d0

SHA256
b5e7a792e1ca7413595c377da3493fad5895655e941e05746f27c9d353cb07fa

SHA512
4459b5d40c667a3accc4d2078b8b95dc68391ed7930f48aa2164b23ecb3003cff54e12f7fb7b262d6cc6648ba2bb6470bbcfab7fb43f631f7d414b32b35dbc2c

Download Submit