3974aa507fed5303b0632c268cdb9ea82de4ca7ab4ab7184e361d58ebb912b4b

Analysis

max time kernel
128s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Changed Special/steamapps/common/Changed Special/Audio/BGM/16.wav
Size

3.5MB
MD5

710db5047e515b9c56c9186de626c5e0
SHA1

fb36829c65f4641a154b423077ef19270f7a85f8
SHA256

0c1c48c5dfe129a37ad8d85323a4d1cf50d073c7b347ae79bce3583e300bb140
SHA512

e960e7168723b356e0eea8ac464958b4b8294582ee97c8743ef7675e553f2b178875c544a64b583ea74dacdffe294fcc806b22897832eb17594e3d2cfa8b98ff
SSDEEP

49152:CrsXqNncidQ4OTkgQj/gjO8cfQLLXM/xF+FbC6UA:CYXqaidWTfK/g6PQLLc/7+VCLA

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 4424 unregmp2.exe
Token: SeCreatePagefilePrivilege 4424 unregmp2.exe

description	pid	process
Token: SeShutdownPrivilege	4424	unregmp2.exe
Token: SeCreatePagefilePrivilege	4424	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 100 wrote to memory of 456	100	wmplayer.exe	setup_wm.exe
PID 100 wrote to memory of 456	100	wmplayer.exe	setup_wm.exe
PID 100 wrote to memory of 456	100	wmplayer.exe	setup_wm.exe
PID 100 wrote to memory of 4740	100	wmplayer.exe	unregmp2.exe
PID 100 wrote to memory of 4740	100	wmplayer.exe	unregmp2.exe
PID 100 wrote to memory of 4740	100	wmplayer.exe	unregmp2.exe
PID 4740 wrote to memory of 4424	4740	unregmp2.exe	unregmp2.exe
PID 4740 wrote to memory of 4424	4740	unregmp2.exe	unregmp2.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Changed Special\steamapps\common\Changed Special\Audio\BGM\16.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Changed Special\steamapps\common\Changed Special\Audio\BGM\16.wav"
2⤵
PID:456

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
576KB

MD5
e30bab3c9bd13d79c1d7ee197e2b3b26

SHA1
99e8fc9e876ec5a24018cd8700b564ece14f17d3

SHA256
d5b332ff18b7cca488207033531a104f2ecb2433f0cd0ddf33d3019f3c1b6a39

SHA512
0c5cc01549f53a7b23a72e09ead0b66beb27df033ab6b54b1bf7e7b77c49b91dfb43bbd9a8167780e687c1f9c6ae51405aba15c92946e23500ed2570a33c2586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
cfa9e99ea13c1594768717d87260df50

SHA1
19712d003fd02aaa1f8af559150cb79c3d0ccea4

SHA256
bb741a086a411d0f1b012cc8135e16a0e064df49f66d56a366883fefe4f7b14b

SHA512
c2e3ec173f51959a05ae7e4b50081a66c854ad1bc5c0a2da56a968f80da2ec9d0d64f929beab25ce5437a76cefd8f2e8430cce685750b09e4ee85c842a69582f

Download Submit