fce8ee83d63180bb2771d91ca367cc662b464cd0c86540878fcea26cf09c88c9

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

umieramdajciepiniondze.mp3
Size

641KB
MD5

fcd7217dc91088d0828e192530f8aba9
SHA1

73132f9c845ae3383bbc385ce8a4ebf7430f924c
SHA256

fce8ee83d63180bb2771d91ca367cc662b464cd0c86540878fcea26cf09c88c9
SHA512

7440b6929de845ef5c681d5234d2afb73bf11fc0f2727cfb947467dc1adb365b7d872d2d5b03165d93f37b4780793d2fd716c16a51460882be20721084c08677
SSDEEP

12288:RJi/DIn6RQOeDDXEAcHlO99RbDHeJKAaDCC+Dyzbcc/dZk152h7PX:bihRloj8lOOKbv+gt

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3084	unregmp2.exe
Token: SeCreatePagefilePrivilege	3084	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2672	2088	wmplayer.exe	86
PID 2088 wrote to memory of 2672	2088	wmplayer.exe	86
PID 2088 wrote to memory of 2672	2088	wmplayer.exe	86
PID 2088 wrote to memory of 372	2088	wmplayer.exe	87
PID 2088 wrote to memory of 372	2088	wmplayer.exe	87
PID 2088 wrote to memory of 372	2088	wmplayer.exe	87
PID 372 wrote to memory of 3084	372	unregmp2.exe	88
PID 372 wrote to memory of 3084	372	unregmp2.exe	88

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\umieramdajciepiniondze.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\umieramdajciepiniondze.mp3"
  2⤵
  PID:2672
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
2936527c6171be1065c6012a3e8ffddd

SHA1
9273557d3cfc6987eac30802569e9d2579d7d4a4

SHA256
e341ab7fd265205d2477cb5234a6c3d35911d7ebb17139b585b55eb7def237e0

SHA512
a83203b4696232299c70ff0f7ae292964417b0636d278544fd252a41e6ab3b5c749e836d83d7b22bc52d56dc069bb8caa0ebf5634b32e3acae7afc87c1215e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7e3ff1a2fa60358229db3b2dde65ff71

SHA1
11ec46a43a2bc8d17c4fb2e978c92209520417da

SHA256
661c2f97d2db2a68921ff8607328af95cab6521ce909211973d2ca0eb1281998

SHA512
49e7c4879c87f4d835c8f13423903c42a741b1ed6e85218999d6b7bfff7ed3cca9cf51c7a78700d70e979b5e5773dbc6597de08bcc4b2731ce1ff3811c94269e

Download Submit