61c28c7ee7dd4b23c2243bbc77b12c5098e0b32fa7dd3fb933c31e0996b9fedf

Analysis

max time kernel
361s
max time network
1581s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
16/10/2023, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4af5170fba53816402bd1a1b6234ca.wav
Size

2KB
MD5

5a4af5170fba53816402bd1a1b6234ca
SHA1

98d36df044d985cad277b81e31ab0bf26c6e983c
SHA256

1acb3a45974d30a9798bd58dc8d52014ca27e8573ef416ca69995c6077b68618
SHA512

c84341ee7f0a3256febd1e6a44a1a4c8339cdfdc5aa571a7da8992e4542a7c437a649e411e360af7eb223c052ceb4ff23a5e772dd31280b7dd2afe1bfdf06bc8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	unregmp2.exe
Token: SeCreatePagefilePrivilege	2156	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1012	1788	wmplayer.exe	70
PID 1788 wrote to memory of 1012	1788	wmplayer.exe	70
PID 1788 wrote to memory of 1012	1788	wmplayer.exe	70
PID 1788 wrote to memory of 2412	1788	wmplayer.exe	71
PID 1788 wrote to memory of 2412	1788	wmplayer.exe	71
PID 1788 wrote to memory of 2412	1788	wmplayer.exe	71
PID 2412 wrote to memory of 2156	2412	unregmp2.exe	72
PID 2412 wrote to memory of 2156	2412	unregmp2.exe	72

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\5a4af5170fba53816402bd1a1b6234ca.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\5a4af5170fba53816402bd1a1b6234ca.wav"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
98df921f667bf303621c789390ed9f2e

SHA1
d9c82e51534cf1c2eb5a255286de6a09ca364d1a

SHA256
8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

SHA512
58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40796.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42218.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
ccfce744ee9a429b57a576d3e9946113

SHA1
de3fc9a97f604adb33482d637684700a90f9ad06

SHA256
03e8f00549eb023107bd5dc38265e620cf0f1a7153d071dc2280851650383a56

SHA512
dce33b6107241a722af0d94a0a3cb114670e52669c73e02ce54f3fe0ddf1043fdca0e3e96ef0cb3f41714f2354914bac4dbedbf47e6adf158d081b649d198edb

Download Submit