3974aa507fed5303b0632c268cdb9ea82de4ca7ab4ab7184e361d58ebb912b4b

Analysis

max time kernel
82s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Changed Special/steamapps/common/Changed Special/Audio/BGM/13.wav
Size

2.7MB
MD5

a01e0a6a6c5001fe322d0eb1daf8c5f7
SHA1

7438b43d137a36e97444b1d3c77d880da0e2ba7c
SHA256

d4b48468833da7cd815b9f4b12d3dd19cf500f9d786168db568f16006237b66b
SHA512

96ecc78df51c5270c867d6aa68c298d569bfb04a779b208ac21c88052ca458ca88659f7eef2ea9e9af68c176cecc9abc1780fc08b75e9f0b12fa6fb22b97f5be
SSDEEP

49152:9maVK4y6ZDDUJtud5odaLHz0Yua/ryDPb7sXZsF8jooub4WLZoXM81YHhZO+DFYa:9mZ4hxo7+T0YrezPwc8UVxzJFYIN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 436 unregmp2.exe
Token: SeCreatePagefilePrivilege 436 unregmp2.exe

description	pid	process
Token: SeShutdownPrivilege	436	unregmp2.exe
Token: SeCreatePagefilePrivilege	436	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 3876 wrote to memory of 3252	3876	wmplayer.exe	setup_wm.exe
PID 3876 wrote to memory of 3252	3876	wmplayer.exe	setup_wm.exe
PID 3876 wrote to memory of 3252	3876	wmplayer.exe	setup_wm.exe
PID 3876 wrote to memory of 3896	3876	wmplayer.exe	unregmp2.exe
PID 3876 wrote to memory of 3896	3876	wmplayer.exe	unregmp2.exe
PID 3876 wrote to memory of 3896	3876	wmplayer.exe	unregmp2.exe
PID 3896 wrote to memory of 436	3896	unregmp2.exe	unregmp2.exe
PID 3896 wrote to memory of 436	3896	unregmp2.exe	unregmp2.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Changed Special\steamapps\common\Changed Special\Audio\BGM\13.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Changed Special\steamapps\common\Changed Special\Audio\BGM\13.wav"
2⤵
PID:3252

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
2936527c6171be1065c6012a3e8ffddd

SHA1
9273557d3cfc6987eac30802569e9d2579d7d4a4

SHA256
e341ab7fd265205d2477cb5234a6c3d35911d7ebb17139b585b55eb7def237e0

SHA512
a83203b4696232299c70ff0f7ae292964417b0636d278544fd252a41e6ab3b5c749e836d83d7b22bc52d56dc069bb8caa0ebf5634b32e3acae7afc87c1215e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
eeb79b00ce7963deb62c746619c6a390

SHA1
b0ec3d7d6f0c98eabd1306b06112048b01f00b21

SHA256
30a9e9f774cd84c5ee464680f3c73fa283c7ca953f275b2c9d42b6a43f50090e

SHA512
7f1d59f88ca42ee97848f86b830db901c38861afd482e805858317e06e5e73b70b87842c7b7a849af0b3c88dd9640382abda4874c015714d7f2e4206ffb42fa7

Download Submit