58e9508e363895165bee8892c9fde2c1048d2e000c44fd4bc2be739a37adfb92

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V3.1 - Copy/Intro.wav
Size

1.7MB
MD5

dc28d546b643c5a33c292ae32d7cf43b
SHA1

b1f891265914eea6926df765bce0f73f8d9d6741
SHA256

20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851
SHA512

9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56
SSDEEP

49152:a9ryN00SMMhAAtPU6elXXBjSdCEiV5Chuw4Osgplu:O30SnhAAtPTelHB7EiVfO7s

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1696	unregmp2.exe
Token: SeCreatePagefilePrivilege	1696	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 5064	4548	wmplayer.exe	80
PID 4548 wrote to memory of 5064	4548	wmplayer.exe	80
PID 4548 wrote to memory of 5064	4548	wmplayer.exe	80
PID 4548 wrote to memory of 4132	4548	wmplayer.exe	81
PID 4548 wrote to memory of 4132	4548	wmplayer.exe	81
PID 4548 wrote to memory of 4132	4548	wmplayer.exe	81
PID 4132 wrote to memory of 1696	4132	unregmp2.exe	82
PID 4132 wrote to memory of 1696	4132	unregmp2.exe	82

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1 - Copy\Intro.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1 - Copy\Intro.wav"
  2⤵
  PID:5064
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c9c84fc0fa14bb768e0dd81f9c2d7f22

SHA1
14c85fdcd4f487afaf40e9f0b8a3e4af3d342756

SHA256
d16f832302cb21cc5f1c82c27688012411b1cc61b90ffc76e65e2bb4812089e7

SHA512
b733d2899694bc7d7354a8f5d69caeb913ddd50e6cd09a741f77500fbb9e8185da5d51150aa568299e926bdff07b0e41ebcd51e7a989483d1f9448f7773b2316

Download Submit