2b4d86ab2e1b54b3420465f9de3421dddccdd7a49ad4e8fd073f8532e45db5ed

Analysis

max time kernel
120s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chica Videos/mission.wmv
Size

6.0MB
MD5

5a917f31fa376e0ab578427daf32a367
SHA1

bc8dd1afb222d35c45d76ebcb46b8a742a6f0a3c
SHA256

07c4da6afc3ef02ed822beafaa316c52ea6eb034a99e70a56cf3932c669fe984
SHA512

58dd3ddeea9c5cc179282fe0027a9e399e547632b5677af488741cd2e87374a0dfad0d001565ce9c8009a4e8912c1701baa203dab857422658c7fca7f95a497a
SSDEEP

98304:JTyCv1lkb7rI2u4sHj6Gx6fBnJJSqWkpAsmt90DxDU09mTjmKaqm5oZawHLDJjl3:H9lUq6rxfSqB6bt90NfUTgqm5ocw1WIn

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	unregmp2.exe
Token: SeCreatePagefilePrivilege	4456	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4584	4892	wmplayer.exe	85
PID 4892 wrote to memory of 4584	4892	wmplayer.exe	85
PID 4892 wrote to memory of 4584	4892	wmplayer.exe	85
PID 4892 wrote to memory of 4944	4892	wmplayer.exe	86
PID 4892 wrote to memory of 4944	4892	wmplayer.exe	86
PID 4892 wrote to memory of 4944	4892	wmplayer.exe	86
PID 4944 wrote to memory of 4456	4944	unregmp2.exe	87
PID 4944 wrote to memory of 4456	4944	unregmp2.exe	87

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\Chica Videos\mission.wmv"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\Chica Videos\mission.wmv"
  2⤵
  PID:4584
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
dbfc662304aa4236ac6c685fdd3ee597

SHA1
bee96b9256c93a35398a8c6a341da9470c6101c2

SHA256
dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

SHA512
6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
50c9b15c9ebafe1f74b472355ac8a1ae

SHA1
cba9755990a6ca52cb82f28aa48af081b16365d9

SHA256
817aa23b70ecaef9d078fdf15182b1e42cec29262462a924489f3299a82c60cf

SHA512
149eebe753bfb8972337ca01582cb501a2715ea9ec2787c8bb42e652e0ed13ccba7d9b42e8d0e620419c2c45991bb98e1510215fc64a8d5e28fc012bf8136bdf

Download Submit