9f56bd24998c7293eecc3e61e8f163d652915f42aad381a6eb7cd46fd41fb5a6

Analysis

max time kernel
137s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

audio.mp3
Size

205KB
MD5

1af60121c162f0a2a83c578069e7478a
SHA1

6c76601127ec87d45c75f7ab95ccf0f6a5b0f496
SHA256

9f56bd24998c7293eecc3e61e8f163d652915f42aad381a6eb7cd46fd41fb5a6
SHA512

905e6f3e3ee9b898f4b29032856302a78be84133c104ac02c0c962ee70ffffa90cd46a0648b0585d8ebc22157e98705923c132791ba2503cd4cb9e792fc1a24e
SSDEEP

3072:uwOM4tlS0JDZEBYHnGrhP0w5AxTs68XaOHrQz/a6+tPyadpXVYy:TOPRDZfGtP02A5sTKli6+tPp8y

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2216	unregmp2.exe
Token: SeCreatePagefilePrivilege	2216	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2200	644	wmplayer.exe	84
PID 644 wrote to memory of 2200	644	wmplayer.exe	84
PID 644 wrote to memory of 2200	644	wmplayer.exe	84
PID 644 wrote to memory of 1536	644	wmplayer.exe	85
PID 644 wrote to memory of 1536	644	wmplayer.exe	85
PID 644 wrote to memory of 1536	644	wmplayer.exe	85
PID 1536 wrote to memory of 2216	1536	unregmp2.exe	86
PID 1536 wrote to memory of 2216	1536	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\audio.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\audio.mp3"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
3b511a53742151cfa0d6b0b1348674d6

SHA1
2ca3347973cd7b56c0d9387fa1810d4c117a9de0

SHA256
fb298910eedecfefe8eaf4b9ed5f400cd59f630cb2c4013f5828f477a9db37a6

SHA512
9b1b6d00bee353ab192f6ca6842275e9ab5e8dd07bb4e71edf5aec50fcff126e6134e4f895f2799cdfde37e0d6492375a505740d1bb3751798467fcbca7b887f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
daa7e1add830707f08154925a7be3fee

SHA1
92c42065c48b81071b8aeff84e349532f7030a07

SHA256
cbb94f050d35e2b881a36914de0a0baf54c132e94c3a977db8d74f9348a687bf

SHA512
8ab5e9987501d285ad78b72155e55fe9b35b4d3abdb4a5d85197a80760df982b3119ae962caa8709cec5e16727b88f106ab225c973a9bc5f99d3cf488781d295

Download Submit