26084484651332f81546ae5bbcaaa3048ce621074a6bd81eae1e65622f2d6b1c

Analysis

max time kernel
61s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2023, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jskqdhkqsjndbhkjsqhd.mp4
Size

66.8MB
MD5

6215e191bd6a6cb1f29d8b0bec90e04e
SHA1

a531d582c4f73e4629903bfc21729c00754c93b9
SHA256

26084484651332f81546ae5bbcaaa3048ce621074a6bd81eae1e65622f2d6b1c
SHA512

7160247c42968edb9fcd19dc54dbcfdbe370b09fa30e24287798a9cb7cac24b5339d3204e7922b3257c10a12d13872c89cfd05c4304cb74ff62a57e16f47a725
SSDEEP

1572864:21/2yZWJJDDfc7xokcxPHQ2Ld9yuFe4BbF/df6:21+yZWLDbca//zdYuFeW1S

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3000	unregmp2.exe
Token: SeCreatePagefilePrivilege	3000	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4216	452	wmplayer.exe	82
PID 452 wrote to memory of 4216	452	wmplayer.exe	82
PID 452 wrote to memory of 4216	452	wmplayer.exe	82
PID 452 wrote to memory of 1280	452	wmplayer.exe	83
PID 452 wrote to memory of 1280	452	wmplayer.exe	83
PID 452 wrote to memory of 1280	452	wmplayer.exe	83
PID 1280 wrote to memory of 3000	1280	unregmp2.exe	84
PID 1280 wrote to memory of 3000	1280	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\jskqdhkqsjndbhkjsqhd.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\jskqdhkqsjndbhkjsqhd.mp4"
  2⤵
  PID:4216
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
9c481a94abc7eee23cd5234262e60077

SHA1
2873225e708fb5461ac60c3613fe12112423f0f0

SHA256
681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061

SHA512
0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
f03e3904a8ab5b444bf661c9a6310a61

SHA1
afb205b6f6d69189de54890a2dc04955fada524a

SHA256
eac8d455dad666390ebf0524ad8bc98dd4b7cd0c1d4f639d8709491bd84579d2

SHA512
6a41d8f3d5171dc3b824ed61feba1dde5cfa79669a23e95ad9ee8c834055b3e6e7d66ad97fab78a0c849f86de37bae8645584ed13aecbd764a964ae3a188ef26

Download Submit