6308445270f66b681639a22434e5f411541b0b62fc28bd615cb1d1b4d9a64bc4

Resubmissions

08/01/2024, 10:54

240108-mzzmpahba3 6

08/01/2024, 10:53

240108-my7lxagcbn 6

Analysis

max time kernel
1486s
max time network
1495s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
08/01/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Снимок экрана 2024-01-07 131427.mp4
Size

1.4MB
MD5

cb8885d07d1e6def99c5c6c76fbcd426
SHA1

a0abe9a0da08430025e212ec6f78c01e6945a55d
SHA256

6308445270f66b681639a22434e5f411541b0b62fc28bd615cb1d1b4d9a64bc4
SHA512

7b80b77f0575ef734420b2b6de0174c56a2f698cd338219766ad123e31c22617d1b829b2f31ecb3d07606ba651dc96b2ca99ad9f31d210ec128286c076764ff9
SSDEEP

24576:4/KIab7BizGXzhOUzGrGzGnaAE9zGpO0zG0UnaGzGpOzGiNlzGSTFzGSGDzGSC2o:4wbFizuxzpzZAE9z4hzfUnaGzLzXlztd

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4280	unregmp2.exe
Token: SeCreatePagefilePrivilege	4280	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 696	1292	wmplayer.exe	79
PID 1292 wrote to memory of 696	1292	wmplayer.exe	79
PID 1292 wrote to memory of 696	1292	wmplayer.exe	79
PID 1292 wrote to memory of 3604	1292	wmplayer.exe	80
PID 1292 wrote to memory of 3604	1292	wmplayer.exe	80
PID 1292 wrote to memory of 3604	1292	wmplayer.exe	80
PID 3604 wrote to memory of 4280	3604	unregmp2.exe	81
PID 3604 wrote to memory of 4280	3604	unregmp2.exe	81

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Снимок экрана 2024-01-07 131427.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Снимок экрана 2024-01-07 131427.mp4"
  2⤵
  PID:696
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
9094c783418a02287a50e36fa6c8a56d

SHA1
668133014fe33c9e8116f99e7398a9882f3742bb

SHA256
5fb3c0c9cce8a7576c7fb22424d9e702dab7d81d4aba2e8098264f4092a358c3

SHA512
00b947b28b1988897729dc6c37b094441a489d33a02ff961d6934e8d5755894cf094e66ce76400c46bd035bda867516a5d5404b3ce05b6120efec3f0c981d1a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3d472d42c126f63de108a527dcb501e9

SHA1
ad04e1f466f0e30470fabc60e13887dbd0ba9196

SHA256
0b54759e870ff2838d3599018f6363476a7c68ff5ad32e745a4a66c4c46fe03e

SHA512
0c241357fbf19ed285a0419b9734727360a25037c6c44d1d2ee12705b5afb48fe38417b6249d4d90a0c5f56373fe938c835ff8995c9ef89a6d2c429e3e758930

Download Submit