51db95fb72ba2b52a47d6824bc65cf055852e7e71b517c282004e47001b631f2

Resubmissions

01-11-2023 06:15

231101-gzwcdabd61 10

01-11-2023 06:14

01-11-2023 05:56

01-11-2023 05:48

01-11-2023 05:45

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y+tu+keri+o+nooo++#magicgang.mp4
Size

593KB
MD5

017ef81026c1956d8c5cdd2eb68b51c4
SHA1

7a511485e691cc1a7a299f11b5be49fb7e32fd2f
SHA256

51db95fb72ba2b52a47d6824bc65cf055852e7e71b517c282004e47001b631f2
SHA512

44fb405addc45d3efce74e4ddf1542ff50a74c468b38767f11816dce9a8274cd2430f3bf92f20343f470dfa20923458b3f603c0adff65554ccc9f42f57065ef8
SSDEEP

12288:Odeu59/kMA28kWqKF3oa8yzC02xQum10HDdwwvego0BHmdfxqaf:OB/PfmRoNy202nmaHDdwwvelfkaf

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	unregmp2.exe
Token: SeCreatePagefilePrivilege	2248	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4868	4456	wmplayer.exe	91
PID 4456 wrote to memory of 4868	4456	wmplayer.exe	91
PID 4456 wrote to memory of 4868	4456	wmplayer.exe	91
PID 4456 wrote to memory of 3980	4456	wmplayer.exe	92
PID 4456 wrote to memory of 3980	4456	wmplayer.exe	92
PID 4456 wrote to memory of 3980	4456	wmplayer.exe	92
PID 3980 wrote to memory of 2248	3980	unregmp2.exe	93
PID 3980 wrote to memory of 2248	3980	unregmp2.exe	93

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y+tu+keri+o+nooo++#magicgang.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y+tu+keri+o+nooo++#magicgang.mp4"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
9c481a94abc7eee23cd5234262e60077

SHA1
2873225e708fb5461ac60c3613fe12112423f0f0

SHA256
681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061

SHA512
0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
16a3f8ea55fc287bc02ed59590e17654

SHA1
3d80508cb754fc1e41a269b35c761565360fea9d

SHA256
d59f867610ba6893500c8a304c4f4e3da8986fb190f2aa33acab473bfd97aec0

SHA512
545b108280f29cce3e28584735c1c0a7d22f3ac1d51f237ba1e6ff529abf5ccd461db1d18716e7d75342d025db92dfb0b370e65a36f1a57c19196ad2ba945489

Download Submit