1de7980c6357715d40cb91c7fb3e2cd47e05d2d220381f7867e781b582a14e2c

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jennifer's Body.mp4
Size

3.7MB
MD5

7d65f2b8870e21f1edb9d42f1053dbc4
SHA1

639997a3ead06b6366bbf2d921a9e544aad7f3c9
SHA256

1de7980c6357715d40cb91c7fb3e2cd47e05d2d220381f7867e781b582a14e2c
SHA512

163cb442597449209a37e14d33edf9d3954e5a17835692faf457d43b074c2186503155db0a1fc7d438602179fba1dc4f3649f06bde5ea7d9081877baaa9815db
SSDEEP

98304:zqtPt04FRSRv84gWxD1bHqA0tFtw4jKMOrz4uBEGAUmyxEa1aWML8NQ:yedZ5NNRdvI

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	unregmp2.exe
Token: SeCreatePagefilePrivilege	4512	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4060	1956	wmplayer.exe	93
PID 1956 wrote to memory of 4060	1956	wmplayer.exe	93
PID 1956 wrote to memory of 4060	1956	wmplayer.exe	93
PID 1956 wrote to memory of 4000	1956	wmplayer.exe	94
PID 1956 wrote to memory of 4000	1956	wmplayer.exe	94
PID 1956 wrote to memory of 4000	1956	wmplayer.exe	94
PID 4000 wrote to memory of 4512	4000	unregmp2.exe	95
PID 4000 wrote to memory of 4512	4000	unregmp2.exe	95

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Jennifer's Body.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Jennifer's Body.mp4"
  2⤵
  PID:4060
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
fc240c081ec382df4b74d591d7d37a45

SHA1
396e9d8accb2ff8b32e6c3957808cb87d23ad47c

SHA256
8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

SHA512
d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
4e55750e7c92d992acb93a9155e1f90d

SHA1
e84717928538e9bde47cbcbb55d3a550329658cb

SHA256
185b60e6b6b0c975363323937a96ae24050e7b522f0ccbf7e666a779e58cb95c

SHA512
95f9b6e587beefee670bbf152cd7aba2491c9fa53c6497242df32113a04bf6dd7bd6dac502bd11d897dc6191071893ff1ea66548ca877324e69a2d9e3f9ee3ef

Download Submit