9843e113a995102e5d263a037f5e28b9399a079dd08556c0fea690306b70e4d2

Analysis

max time kernel
107s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 13:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Non-Executive Training (shared folder with LMS Team)/1st draft - NEOM - FCF TRAINING MODULE - NON EX.mp4
Size

702.1MB
MD5

2d57f2249a6c6c5b0e2908c9db850acf
SHA1

a5fe658a3a971b06d3bf5b72d03c01a5b8fb2947
SHA256

49c4ee387e5c1d779005c81f86753e3f51efa134bb16764555a1e867fd3407ef
SHA512

7c0e9bf66a16c4a9ba25cf2f037fe02020e3604d8c42977219f8e82f53af27e57efd895b92861ad742710d68e1dc927f7cdf319a640f298478a79329d2b0b92d
SSDEEP

6291456:pt0/tLB5BcYTWR0w6nXg2t48Pmx2BHKfCQdWfbrKmUhveNt3:arKmUNeN9

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4804	unregmp2.exe
Token: SeCreatePagefilePrivilege	4804	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1232	2032	wmplayer.exe	84
PID 2032 wrote to memory of 1232	2032	wmplayer.exe	84
PID 2032 wrote to memory of 1232	2032	wmplayer.exe	84
PID 2032 wrote to memory of 1288	2032	wmplayer.exe	85
PID 2032 wrote to memory of 1288	2032	wmplayer.exe	85
PID 2032 wrote to memory of 1288	2032	wmplayer.exe	85
PID 1288 wrote to memory of 4804	1288	unregmp2.exe	86
PID 1288 wrote to memory of 4804	1288	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Non-Executive Training (shared folder with LMS Team)\1st draft - NEOM - FCF TRAINING MODULE - NON EX.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Non-Executive Training (shared folder with LMS Team)\1st draft - NEOM - FCF TRAINING MODULE - NON EX.mp4"
  2⤵
  PID:1232
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
fc240c081ec382df4b74d591d7d37a45

SHA1
396e9d8accb2ff8b32e6c3957808cb87d23ad47c

SHA256
8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

SHA512
d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
20c19656c5cf855cad6e301d5afcc991

SHA1
e3a59429d406426f51965d294fe2aa64568ab017

SHA256
9b0db9c8ea52778c88362a4b17a47a66ea65a1b5b5ae990e6a373bd874467e51

SHA512
12d5a253611589acd42e742f414f95f94a6d1b5ce942b775f1ed34eb5a17e87c61ad82f21de81f459c4a0c3dc017f68ef77929e8556c4ee88daeb256368bf2a4

Download Submit