52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

max time kernel
1790s
max time network
1590s
platform
windows10-1703_x64
resource
win10-20230220-ja
resource tags

arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
25-02-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4592 4948 WerFault.exe imebroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 3784 unregmp2.exe
Token: SeCreatePagefilePrivilege 3784 unregmp2.exe

pid	pid_target	process	target process
4592	4948	WerFault.exe	imebroker.exe

description	pid	process
Token: SeShutdownPrivilege	3784	unregmp2.exe
Token: SeCreatePagefilePrivilege	3784	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 1504 wrote to memory of 1284	1504	wmplayer.exe	setup_wm.exe
PID 1504 wrote to memory of 1284	1504	wmplayer.exe	setup_wm.exe
PID 1504 wrote to memory of 1284	1504	wmplayer.exe	setup_wm.exe
PID 1504 wrote to memory of 1280	1504	wmplayer.exe	unregmp2.exe
PID 1504 wrote to memory of 1280	1504	wmplayer.exe	unregmp2.exe
PID 1504 wrote to memory of 1280	1504	wmplayer.exe	unregmp2.exe
PID 1280 wrote to memory of 3784	1280	unregmp2.exe	unregmp2.exe
PID 1280 wrote to memory of 3784	1280	unregmp2.exe	unregmp2.exe

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:4304

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:4948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4948 -s 1008
  2⤵
  - Program crash
  PID:4592

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:1284
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3784

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\4169b16a80de4bb288058e2299e5199f /t 1300 /p 1284
1⤵
PID:4916

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\61e77bf9c510430099f007705a8ed3ce /t 2796 /p 3760
1⤵
PID:4032

C:\Windows\System32\IME\IMEJP\imjpdct.exe
"C:\Windows\System32\IME\IMEJP\\imjpdct.exe" /backup create C:\Users\Admin\AppData\Roaming\Microsoft\IME\15.0\IMEJP\UserDict\imjp15cu.dic
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
f48244a254420143a2d875a94ceef49a

SHA1
80f719c6558efe17a4577b4281b5db9d2fc626e3

SHA256
637a05c47ee6e09297575104092182b00b0296c74d9c8559e4ea2bfe2dd2979a

SHA512
e182c4dc269658d82fec0e7a3f457a894823ab414d3a8c861e0ea08dcfc28de16eba24c911d04b4635fd73d70b0746f7ddb769e24baf870d606b466a50550b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRNCE2A.tmp

Filesize
36KB

MD5
c26f3801d1d6865a68cf1ef846dfae01

SHA1
0299d7d1f35a26ed8cf18bd9eafe2d94a7c8cc00

SHA256
c3ab66e4c960d9c15ba844cf8a1466b5898ac661a4eeffbc411be9fc24bcf97e

SHA512
388c6ccb3fcd733c476bfc529a5d180f21a41185ad9576f9f720e83c0b23692a773c94acd19105cab874846d8282a3d73ce01610b0008ae29ad9e536b1b347cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRNF53B.tmp

Filesize
36KB

MD5
760de790fc5ae6e1cb626c91cdce7b1e

SHA1
370c4ffea8232982240e1577eb00ca4ff237f168

SHA256
1eb23e653f57f093d0f5b2f8bc599b412358fcc0556b7fdbc694c995e9da47f1

SHA512
ce189588a45d3ae96ef1819529286ca26e70aab406cffb329c3ac2f7985a08ce1a4fa6d2d567e12ee7e545bcd73415e850973f4cb033d89813a5f86dc4330c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
fe3f871d45229aa23cf2a9dc1b1c6521

SHA1
c799ba768564e8c110c6e7337eaaeb10bb40b089

SHA256
8592aec843136ba6316ffcd29f1a0ed2a279fca6c32df456fd05177c87d10b9d

SHA512
3e8c1c4486f6be2553851264a86328314a3c6e5654d2ea477ace706168f6de70a65bcae2b1ab3f0c03ee09aaeeed9f76db5ceba19c246519e11702db1c616748

Download Submit
memory/4304-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download