da5a92c0a1097036f0ede7df576fa43ff2f433d0fe5c1ff53b2862bfd55fb0e6

Analysis

max time kernel
71s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y2mate.com - Two Good Happy Moment Extended Version_320kbps.mp3
Size

12.5MB
MD5

e75865a6a38f862d545a4bacebaa08cf
SHA1

a2b7776274b545e54c299a2cad7107af81f7bc1b
SHA256

da5a92c0a1097036f0ede7df576fa43ff2f433d0fe5c1ff53b2862bfd55fb0e6
SHA512

cf9622ed09920f5a9a3bfb8d756628ddcc907ae3fb43cf3899120991cc428bd1e5ccd5a8a12dfc89c7cb872af33cbe9c1deb1e3ac3276f9d1adbecffaa8a4541
SSDEEP

196608:8sHPcXwV+Gp4wPr4G4kjZHe8BSeI1z6q7fVYCr/V0ouLIob/zmm+T:8yPck1jZAdz6q7fTbV0oI/q

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1840	unregmp2.exe
Token: SeCreatePagefilePrivilege	1840	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2036	5000	wmplayer.exe	83
PID 5000 wrote to memory of 2036	5000	wmplayer.exe	83
PID 5000 wrote to memory of 2036	5000	wmplayer.exe	83
PID 5000 wrote to memory of 4052	5000	wmplayer.exe	84
PID 5000 wrote to memory of 4052	5000	wmplayer.exe	84
PID 5000 wrote to memory of 4052	5000	wmplayer.exe	84
PID 4052 wrote to memory of 1840	4052	unregmp2.exe	86
PID 4052 wrote to memory of 1840	4052	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y2mate.com - Two Good Happy Moment Extended Version_320kbps.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y2mate.com - Two Good Happy Moment Extended Version_320kbps.mp3"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
96d393165359531c2c4f2cadc54c87cb

SHA1
4ad5675ce2a98fcf9d5b98d972fcd545378e4307

SHA256
d9f8a305cfc29e4d52751168bf7b002cab297d631ea64a85b47e3705d9769047

SHA512
8344987512b1d98daa78e9fcac536ea3e3e19b1f9d5017e85b246ade0999be9361165d5dce63e4b15ee199fadfd96bee3b490e487d1cb19701834f18a150983d

Download Submit
memory/1840-134-0x0000000000000000-mapping.dmp

Download
memory/2036-132-0x0000000000000000-mapping.dmp

Download
memory/4052-133-0x0000000000000000-mapping.dmp

Download