a5b67d1afaec7548b1113625e4b5c3101c452aa0b295dbcc341722556341fb11

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Size

303KB
MD5

66851caa5218ecfe658073c888e7a235
SHA1

a60dc679151a7b9db5cc86604a6a7f844f16db2f
SHA256

a5b67d1afaec7548b1113625e4b5c3101c452aa0b295dbcc341722556341fb11
SHA512

8e2dee6d2a110c09203b4b63c3516e554e2b2bc0ccedd1ecf89b93231937befc498e42f81ca6d90f6e46bc237f40cf59280aef598b07a97b66abe3de102a9eb7
SSDEEP

6144:DFe/ep2Ll0GOnp8JXIDiP/FeOK+pfyLvapckLTEav/kIrkhWHjTKnb:DFe2pmjQYIsO+pfiaptEav/kSkhWPUb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1992	unregmp2.exe
Token: SeCreatePagefilePrivilege	1992	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1832	1368	wmplayer.exe	84
PID 1368 wrote to memory of 1832	1368	wmplayer.exe	84
PID 1368 wrote to memory of 1832	1368	wmplayer.exe	84
PID 1368 wrote to memory of 3040	1368	wmplayer.exe	85
PID 1368 wrote to memory of 3040	1368	wmplayer.exe	85
PID 1368 wrote to memory of 3040	1368	wmplayer.exe	85
PID 3040 wrote to memory of 1992	3040	unregmp2.exe	86
PID 3040 wrote to memory of 1992	3040	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"
  2⤵
  PID:1832
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
dbfc662304aa4236ac6c685fdd3ee597

SHA1
bee96b9256c93a35398a8c6a341da9470c6101c2

SHA256
dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

SHA512
6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
11e1b8f1d37d2e41db7135e07a3046e8

SHA1
72744dcb0e78b94557bdbe7b93d3ae1cbc2cc550

SHA256
9a100e617773a70a36c8d2c423531ce12ad41f3711d709c38e0e79d83a6d2302

SHA512
2cea833ff727dca27c97b5c721109e9f4ac3fadd97afe3acb2fd08805976d7c7ffe42312f5d292f9a7743a7c590958d8f87fc561437fd156ad0766b41c1f83a9

Download Submit