2b4d86ab2e1b54b3420465f9de3421dddccdd7a49ad4e8fd073f8532e45db5ed

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 22:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Chica Videos/cum.wmv
Size

7.2MB
MD5

77f4633e6d8ff92137a8ee1be2b0bec3
SHA1

9911059d3f404d88a1d7e7c46e53f4b0ced85875
SHA256

80b78f9b8e39fb1feed971981d15a0356969fd496292da9b97edb016eb177057
SHA512

05989659a02b41915b0e91757d7ae6737b5cfb0e72224131a30ce8353daa64367b9b00d5c05cb617d3b485ba19fbafba611145f7829da7ce7d21dd470fc69905
SSDEEP

98304:MDwhnZVkVCNdClQZJUemtcnfQee0EhysfIU3Q+0cWrCdt/ub379p7ywAfL4hDIze:einZVtaQTrmWfQUZEn3rdpgLJowIewJG

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	unregmp2.exe
Token: SeCreatePagefilePrivilege	1528	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2172	640	wmplayer.exe	86
PID 640 wrote to memory of 2172	640	wmplayer.exe	86
PID 640 wrote to memory of 2172	640	wmplayer.exe	86
PID 640 wrote to memory of 2116	640	wmplayer.exe	87
PID 640 wrote to memory of 2116	640	wmplayer.exe	87
PID 640 wrote to memory of 2116	640	wmplayer.exe	87
PID 2116 wrote to memory of 1528	2116	unregmp2.exe	88
PID 2116 wrote to memory of 1528	2116	unregmp2.exe	88

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\Chica Videos\cum.wmv"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\Chica Videos\cum.wmv"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
ab57d6576bac817e24e09b125a2fc42f

SHA1
0fbec340b8ec1256b89d115f2598853a281312ba

SHA256
1f85be4464de03096c5272ec692fb71cd9f0f6ac485c4f47a984513b3990c5ac

SHA512
d3d1077369971f56eae10b2737552e93658df660fa06b627606c2ee5c8cbff2d0247401ff259d95ce1bc6757e79d869a7acc3bbcf1eadc1a1eaafc9be4d17faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3a6c5535317131dea17df8826d76e05d

SHA1
d607d474a2f732fbbd31598fce9e7877c3fbb6b3

SHA256
f47ee70f73116d1d2ede22a2c1af894cff80938031ad9c157b5626c47dd36178

SHA512
d72b1b7a91079d6f8861caf526d959ff740e4240172670913dc9c72cc05623659bccdbedfd358c2fc6a747317ff0bcc9ff24a6b614a97d7e32a79b0c8e480f0c

Download Submit