Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 11:57

General

  • Target

    4601-fvr-master-2.mp3

  • Size

    10.1MB

  • MD5

    cb3d25722564c7e0b33fcc4e7ada7ec2

  • SHA1

    70c5fc5fcec6ecb9c3a1fe114de21327a8a99146

  • SHA256

    2e4f1adcedd82306e9c6a35ac2b1abb2ab969f29d9a84d4d9a8d46140f34d25f

  • SHA512

    fd35b01928cec182719fe724cc70f4e2637fd334a6ba8a7fd82117320a0c57bfdb3273466328a45cfd56e0edf577f4f1bb8521bd6a987fcc45df7951e07d70d8

  • SSDEEP

    196608:r3yf10mzN+fwSzJ3UOMclf9yQfYiAUy7xLpgSLv/tOo:rCfBvS1dMg3YiAUy7xSen

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\4601-fvr-master-2.mp3"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\4601-fvr-master-2.mp3"
      2⤵
        PID:920
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:3728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

      Filesize

      256KB

      MD5

      41e020ee798eceb4ac90cba2142a7a1b

      SHA1

      714ffdf4ddc441ae72c3fb2e4548a8219ad06fb8

      SHA256

      60968b6f285adc7f7347c43815c17a27a383807366f91212b81b17cac20131a8

      SHA512

      29d22703589df058c7f3509ce58f8e2f8fdf1fc2077e0622a796e4f9c17e563994e3cce83d74b5d58d79ae5b335a1e114c86ca7fe149bab10c3656c0acb0ae76

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

      Filesize

      1KB

      MD5

      fb81cb3f6575c79b40a396bff611318a

      SHA1

      3cb4f61c1e1a508584cf7f21d4107b2677469653

      SHA256

      d86fa601b8ea8aa514444e827f0f5a13f02c820dbc1f9ba72dc3ca0a59f91196

      SHA512

      ce6cd74f6e3a64c5f44b66e9b776b2b32b3543ab0e122ec0c3ec5aeba727c24d67b63b79d17a0aec91544c7bb22230ba22489d87716214a63be726bdecbebbe6