Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
1tu-madre-t...od.mp3
windows10-1703-x64
1tu-madre-t...od.mp3
windows7-x64
1tu-madre-t...od.mp3
windows10-2004-x64
6tu-madre-t...od.mp3
android-10-x64
tu-madre-t...od.mp3
android-11-x64
tu-madre-t...od.mp3
android-9-x86
tu-madre-t...od.mp3
macos-10.15-amd64
1tu-madre-t...od.mp3
debian-9-armhf
tu-madre-t...od.mp3
debian-9-mips
tu-madre-t...od.mp3
debian-9-mipsel
tu-madre-t...od.mp3
ubuntu-18.04-amd64
Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2023, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
android-x64-20220823-en
Behavioral task
behavioral5
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
android-x64-arm64-20220823-en
Behavioral task
behavioral6
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral7
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
macos-20220504-en
Behavioral task
behavioral8
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral9
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral10
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral11
Sample
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
Resource
ubuntu1804-amd64-20221125-en
General
-
Target
tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3
-
Size
303KB
-
MD5
66851caa5218ecfe658073c888e7a235
-
SHA1
a60dc679151a7b9db5cc86604a6a7f844f16db2f
-
SHA256
a5b67d1afaec7548b1113625e4b5c3101c452aa0b295dbcc341722556341fb11
-
SHA512
8e2dee6d2a110c09203b4b63c3516e554e2b2bc0ccedd1ecf89b93231937befc498e42f81ca6d90f6e46bc237f40cf59280aef598b07a97b66abe3de102a9eb7
-
SSDEEP
6144:DFe/ep2Ll0GOnp8JXIDiP/FeOK+pfyLvapckLTEav/kIrkhWHjTKnb:DFe2pmjQYIsO+pfiaptEav/kSkhWPUb
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1992 unregmp2.exe Token: SeCreatePagefilePrivilege 1992 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1832 1368 wmplayer.exe 84 PID 1368 wrote to memory of 1832 1368 wmplayer.exe 84 PID 1368 wrote to memory of 1832 1368 wmplayer.exe 84 PID 1368 wrote to memory of 3040 1368 wmplayer.exe 85 PID 1368 wrote to memory of 3040 1368 wmplayer.exe 85 PID 1368 wrote to memory of 3040 1368 wmplayer.exe 85 PID 3040 wrote to memory of 1992 3040 unregmp2.exe 86 PID 3040 wrote to memory of 1992 3040 unregmp2.exe 86
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\tu-madre-tiene-una-p-lla-que-ya-la-quisiera-yo-by-voicemod.mp3"2⤵PID:1832
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5dbfc662304aa4236ac6c685fdd3ee597
SHA1bee96b9256c93a35398a8c6a341da9470c6101c2
SHA256dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590
SHA5126730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD511e1b8f1d37d2e41db7135e07a3046e8
SHA172744dcb0e78b94557bdbe7b93d3ae1cbc2cc550
SHA2569a100e617773a70a36c8d2c423531ce12ad41f3711d709c38e0e79d83a6d2302
SHA5122cea833ff727dca27c97b5c721109e9f4ac3fadd97afe3acb2fd08805976d7c7ffe42312f5d292f9a7743a7c590958d8f87fc561437fd156ad0766b41c1f83a9