Overview
overview
7Static
static
1Betflix-4....m).apk
android-9-x86
7Betflix-4....m).apk
android-11-x64
7CaviarDreams.ttf
windows7-x64
3CaviarDreams.ttf
windows10-2004-x64
7Pacifico.ttf
windows7-x64
3Pacifico.ttf
windows10-2004-x64
7Sansation-Regular.ttf
windows7-x64
3Sansation-Regular.ttf
windows10-2004-x64
7Walkway_Bold.ttf
windows7-x64
3Walkway_Bold.ttf
windows10-2004-x64
7audience_network.dex
windows7-x64
3audience_network.dex
windows10-2004-x64
3crear_tran...n.html
windows7-x64
1crear_tran...n.html
windows10-2004-x64
1sound2.wav
windows7-x64
1sound2.wav
windows10-2004-x64
6sound3.wav
windows7-x64
1sound3.wav
windows10-2004-x64
6sound4.wav
windows7-x64
1sound4.wav
windows10-2004-x64
6sound5.wav
windows7-x64
1sound5.wav
windows10-2004-x64
6sound_out2.wav
windows7-x64
1sound_out2.wav
windows10-2004-x64
6sound_out3.wav
windows7-x64
1sound_out3.wav
windows10-2004-x64
6sound_out4.wav
windows7-x64
1sound_out4.wav
windows10-2004-x64
6sound_out5.wav
windows7-x64
1sound_out5.wav
windows10-2004-x64
6Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 18:41
Static task
static1
Behavioral task
behavioral1
Sample
Betflix-4.2(betflixapk.com).apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
Betflix-4.2(betflixapk.com).apk
Resource
android-x64-arm64-20220823-en
Behavioral task
behavioral3
Sample
CaviarDreams.ttf
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
CaviarDreams.ttf
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Pacifico.ttf
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Pacifico.ttf
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Sansation-Regular.ttf
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Sansation-Regular.ttf
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Walkway_Bold.ttf
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Walkway_Bold.ttf
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
audience_network.dex
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
audience_network.dex
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
crear_transaction.html
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
crear_transaction.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
sound2.wav
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
sound2.wav
Resource
win10v2004-20230221-en
Behavioral task
behavioral17
Sample
sound3.wav
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
sound3.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
sound4.wav
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
sound4.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
sound5.wav
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
sound5.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
sound_out2.wav
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
sound_out2.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
sound_out3.wav
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
sound_out3.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
sound_out4.wav
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
sound_out4.wav
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
sound_out5.wav
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
sound_out5.wav
Resource
win10v2004-20230221-en
General
-
Target
sound3.wav
-
Size
46KB
-
MD5
47f029f497ae8220366d4f0b1d5776f6
-
SHA1
f97ec2775157b22b11e3e460a5badc32eea958e5
-
SHA256
199209b0239bf1eba9e60df85c6d3049650ccaea3587c0310d8233466b6d2f5f
-
SHA512
92861f60b2f8eb75b8ec066f28cf3b3f7f22081cb283406cc1c854cc1754b4b4febbde9d01f93fb6347bd83337b754a2d67a4ef181121508642cf071bc63ffcc
-
SSDEEP
768:B+8rh9/dm5TT5tx0Zuh259+J5t86m1A/CvWlx8Dj:Bth9/deTT5/0M8+d8G/4Dj
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
unregmp2.exedescription pid process Token: SeShutdownPrivilege 212 unregmp2.exe Token: SeCreatePagefilePrivilege 212 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wmplayer.exeunregmp2.exedescription pid process target process PID 4056 wrote to memory of 3680 4056 wmplayer.exe setup_wm.exe PID 4056 wrote to memory of 3680 4056 wmplayer.exe setup_wm.exe PID 4056 wrote to memory of 3680 4056 wmplayer.exe setup_wm.exe PID 4056 wrote to memory of 3800 4056 wmplayer.exe unregmp2.exe PID 4056 wrote to memory of 3800 4056 wmplayer.exe unregmp2.exe PID 4056 wrote to memory of 3800 4056 wmplayer.exe unregmp2.exe PID 3800 wrote to memory of 212 3800 unregmp2.exe unregmp2.exe PID 3800 wrote to memory of 212 3800 unregmp2.exe unregmp2.exe
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\sound3.wav"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\sound3.wav"2⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
64KB
MD5fc240c081ec382df4b74d591d7d37a45
SHA1396e9d8accb2ff8b32e6c3957808cb87d23ad47c
SHA2568cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038
SHA512d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD5e96acf2eb034ca64bd66ead44f696b94
SHA15680b14874d30449abf473250b8c2a1a39c7e236
SHA256065a0ce88b122608a5854bd1febb2b465ce18543f110be94f7e0d23c933641c4
SHA5120629b81eb6b468d49423283d71c7fe048ada3c4c2516c7c3bf74dcc593788411737da327fe84d18081beb358c7a96c1f739d5e609ed772b5cbf7578cd41b6442