Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 15:48

General

  • Target

    tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3

  • Size

    303KB

  • MD5

    66851caa5218ecfe658073c888e7a235

  • SHA1

    a60dc679151a7b9db5cc86604a6a7f844f16db2f

  • SHA256

    a5b67d1afaec7548b1113625e4b5c3101c452aa0b295dbcc341722556341fb11

  • SHA512

    8e2dee6d2a110c09203b4b63c3516e554e2b2bc0ccedd1ecf89b93231937befc498e42f81ca6d90f6e46bc237f40cf59280aef598b07a97b66abe3de102a9eb7

  • SSDEEP

    6144:DFe/ep2Ll0GOnp8JXIDiP/FeOK+pfyLvapckLTEav/kIrkhWHjTKnb:DFe2pmjQYIsO+pfiaptEav/kSkhWPUb

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"
      2⤵
        PID:1832
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:1992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

      Filesize

      64KB

      MD5

      dbfc662304aa4236ac6c685fdd3ee597

      SHA1

      bee96b9256c93a35398a8c6a341da9470c6101c2

      SHA256

      dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

      SHA512

      6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

      Filesize

      1KB

      MD5

      11e1b8f1d37d2e41db7135e07a3046e8

      SHA1

      72744dcb0e78b94557bdbe7b93d3ae1cbc2cc550

      SHA256

      9a100e617773a70a36c8d2c423531ce12ad41f3711d709c38e0e79d83a6d2302

      SHA512

      2cea833ff727dca27c97b5c721109e9f4ac3fadd97afe3acb2fd08805976d7c7ffe42312f5d292f9a7743a7c590958d8f87fc561437fd156ad0766b41c1f83a9