61c28c7ee7dd4b23c2243bbc77b12c5098e0b32fa7dd3fb933c31e0996b9fedf

General

Target

1ef4e582bc0a4da3167fbe71d11dd735.wav
Size

7KB
MD5

1ef4e582bc0a4da3167fbe71d11dd735
SHA1

c6244136ad99ae2b6ff563f0a6d5c01f73ce3d92
SHA256

d2ba90279da4585f460ccb1d5b93e1865243648275a1b3bb681b5bc2dd6959f4
SHA512

fcedc57b45a5cf69337c8f8d49375cc35ea3806fce394d63b80125bb9ce69b7460133c1e2b42e739ea6619bb60962199534e0d172f823891d800445e30c3453b
SSDEEP

192:dSpvTochSRIc6ApnVy4A594vMVqQIY1mG0tSl3t3:c3QIcNpnc4A5uMUlYuSl3t3

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4540	unregmp2.exe
Token: SeCreatePagefilePrivilege	4540	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2864	3192	wmplayer.exe	70
PID 3192 wrote to memory of 2864	3192	wmplayer.exe	70
PID 3192 wrote to memory of 2864	3192	wmplayer.exe	70
PID 3192 wrote to memory of 4504	3192	wmplayer.exe	71
PID 3192 wrote to memory of 4504	3192	wmplayer.exe	71
PID 3192 wrote to memory of 4504	3192	wmplayer.exe	71
PID 4504 wrote to memory of 4540	4504	unregmp2.exe	72
PID 4504 wrote to memory of 4540	4504	unregmp2.exe	72

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\1ef4e582bc0a4da3167fbe71d11dd735.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\1ef4e582bc0a4da3167fbe71d11dd735.wav"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
98df921f667bf303621c789390ed9f2e

SHA1
d9c82e51534cf1c2eb5a255286de6a09ca364d1a

SHA256
8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

SHA512
58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44656.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46312.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
4d247d90c6ad8fd8be2333a1c62dd127

SHA1
6c8ee31c8e1c04e54645c535eb2853361a93ca67

SHA256
f8e2e08763eeac71cbbad0dd8fa01b91e3d43bce36f5acbe08f998b0f0df130f

SHA512
eafd92d7a7f10b1c29db5cf1e9bdc8816ad852151e8b95c6d96dc9abc9d7d5b2efda0436fa9f2ed5df3bf190c877f2ac0af72a1abf48457ad5d236cdc4f274cc

Download Submit

Analysis

Sharing