Resubmissions
07-07-2023 19:28
230707-x6vx7aah77 1009-05-2023 07:16
230509-h34zcsgf4w 827-03-2023 11:00
230327-m3yjssdb46 1025-03-2023 07:43
230325-jkn1vsdh4z 825-02-2023 11:28
230225-nldnqsda92 1025-02-2023 11:28
230225-nk69nada89 125-02-2023 11:24
230225-nh4qrada83 1015-01-2023 04:46
230115-fd3c5aab55 1006-12-2022 18:59
221206-xm59taea79 10Analysis
-
max time kernel
1790s -
max time network
1590s -
platform
windows10-1703_x64 -
resource
win10-20230220-ja -
resource tags
arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
25-02-2023 11:28
Static task
static1
Behavioral task
behavioral1
Sample
fucker script.exe
Resource
win7-20230220-ja
Behavioral task
behavioral2
Sample
fucker script.exe
Resource
win10-20230220-ja
Behavioral task
behavioral3
Sample
fucker script.exe
Resource
win10v2004-20230220-ja
General
-
Target
fucker script.exe
-
Size
104KB
-
MD5
db0655efbe0dbdef1df06207f5cb5b5b
-
SHA1
a8d48d5c0042ce359178d018c0873e8a7c2f27e8
-
SHA256
52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
-
SHA512
5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
-
SSDEEP
1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4592 4948 WerFault.exe 67 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3784 unregmp2.exe Token: SeCreatePagefilePrivilege 3784 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1284 1504 wmplayer.exe 70 PID 1504 wrote to memory of 1284 1504 wmplayer.exe 70 PID 1504 wrote to memory of 1284 1504 wmplayer.exe 70 PID 1504 wrote to memory of 1280 1504 wmplayer.exe 71 PID 1504 wrote to memory of 1280 1504 wmplayer.exe 71 PID 1504 wrote to memory of 1280 1504 wmplayer.exe 71 PID 1280 wrote to memory of 3784 1280 unregmp2.exe 72 PID 1280 wrote to memory of 3784 1280 unregmp2.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\fucker script.exe"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"1⤵PID:4304
-
C:\Windows\System32\IME\SHARED\imebroker.exeC:\Windows\System32\IME\SHARED\imebroker.exe -Embedding1⤵PID:4948
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4948 -s 10082⤵
- Program crash
PID:4592
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:1284
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4169b16a80de4bb288058e2299e5199f /t 1300 /p 12841⤵PID:4916
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\61e77bf9c510430099f007705a8ed3ce /t 2796 /p 37601⤵PID:4032
-
C:\Windows\System32\IME\IMEJP\imjpdct.exe"C:\Windows\System32\IME\IMEJP\\imjpdct.exe" /backup create C:\Users\Admin\AppData\Roaming\Microsoft\IME\15.0\IMEJP\UserDict\imjp15cu.dic1⤵PID:704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5f48244a254420143a2d875a94ceef49a
SHA180f719c6558efe17a4577b4281b5db9d2fc626e3
SHA256637a05c47ee6e09297575104092182b00b0296c74d9c8559e4ea2bfe2dd2979a
SHA512e182c4dc269658d82fec0e7a3f457a894823ab414d3a8c861e0ea08dcfc28de16eba24c911d04b4635fd73d70b0746f7ddb769e24baf870d606b466a50550b2c
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
36KB
MD5c26f3801d1d6865a68cf1ef846dfae01
SHA10299d7d1f35a26ed8cf18bd9eafe2d94a7c8cc00
SHA256c3ab66e4c960d9c15ba844cf8a1466b5898ac661a4eeffbc411be9fc24bcf97e
SHA512388c6ccb3fcd733c476bfc529a5d180f21a41185ad9576f9f720e83c0b23692a773c94acd19105cab874846d8282a3d73ce01610b0008ae29ad9e536b1b347cc
-
Filesize
36KB
MD5760de790fc5ae6e1cb626c91cdce7b1e
SHA1370c4ffea8232982240e1577eb00ca4ff237f168
SHA2561eb23e653f57f093d0f5b2f8bc599b412358fcc0556b7fdbc694c995e9da47f1
SHA512ce189588a45d3ae96ef1819529286ca26e70aab406cffb329c3ac2f7985a08ce1a4fa6d2d567e12ee7e545bcd73415e850973f4cb033d89813a5f86dc4330c06
-
Filesize
1KB
MD5fe3f871d45229aa23cf2a9dc1b1c6521
SHA1c799ba768564e8c110c6e7337eaaeb10bb40b089
SHA2568592aec843136ba6316ffcd29f1a0ed2a279fca6c32df456fd05177c87d10b9d
SHA5123e8c1c4486f6be2553851264a86328314a3c6e5654d2ea477ace706168f6de70a65bcae2b1ab3f0c03ee09aaeeed9f76db5ceba19c246519e11702db1c616748