Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
4601-fvr-master-2.mp3
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
4601-fvr-master-2.mp3
Resource
win10v2004-20231020-en
General
-
Target
4601-fvr-master-2.mp3
-
Size
10.1MB
-
MD5
cb3d25722564c7e0b33fcc4e7ada7ec2
-
SHA1
70c5fc5fcec6ecb9c3a1fe114de21327a8a99146
-
SHA256
2e4f1adcedd82306e9c6a35ac2b1abb2ab969f29d9a84d4d9a8d46140f34d25f
-
SHA512
fd35b01928cec182719fe724cc70f4e2637fd334a6ba8a7fd82117320a0c57bfdb3273466328a45cfd56e0edf577f4f1bb8521bd6a987fcc45df7951e07d70d8
-
SSDEEP
196608:r3yf10mzN+fwSzJ3UOMclf9yQfYiAUy7xLpgSLv/tOo:rCfBvS1dMg3YiAUy7xSen
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3728 unregmp2.exe Token: SeCreatePagefilePrivilege 3728 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1572 wrote to memory of 920 1572 wmplayer.exe 90 PID 1572 wrote to memory of 920 1572 wmplayer.exe 90 PID 1572 wrote to memory of 920 1572 wmplayer.exe 90 PID 1572 wrote to memory of 4492 1572 wmplayer.exe 91 PID 1572 wrote to memory of 4492 1572 wmplayer.exe 91 PID 1572 wrote to memory of 4492 1572 wmplayer.exe 91 PID 4492 wrote to memory of 3728 4492 unregmp2.exe 92 PID 4492 wrote to memory of 3728 4492 unregmp2.exe 92
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\4601-fvr-master-2.mp3"1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\4601-fvr-master-2.mp3"2⤵PID:920
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD541e020ee798eceb4ac90cba2142a7a1b
SHA1714ffdf4ddc441ae72c3fb2e4548a8219ad06fb8
SHA25660968b6f285adc7f7347c43815c17a27a383807366f91212b81b17cac20131a8
SHA51229d22703589df058c7f3509ce58f8e2f8fdf1fc2077e0622a796e4f9c17e563994e3cce83d74b5d58d79ae5b335a1e114c86ca7fe149bab10c3656c0acb0ae76
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5fb81cb3f6575c79b40a396bff611318a
SHA13cb4f61c1e1a508584cf7f21d4107b2677469653
SHA256d86fa601b8ea8aa514444e827f0f5a13f02c820dbc1f9ba72dc3ca0a59f91196
SHA512ce6cd74f6e3a64c5f44b66e9b776b2b32b3543ab0e122ec0c3ec5aeba727c24d67b63b79d17a0aec91544c7bb22230ba22489d87716214a63be726bdecbebbe6