Analysis

  • max time kernel
    0s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 20:19

General

  • Target

    magic.poisontoolz.com/Otcck.wav

  • Size

    1.1MB

  • MD5

    f36d654482fd55002007c1d517bb0570

  • SHA1

    0073d502c20758eedcd974b885ef7ea68f24d6bc

  • SHA256

    50785ebfe8e8dd43d1b8efc56611371878a61d8d7866e962d92095b09d338f93

  • SHA512

    5f034b0d4e65df85acb008dd0cc5114294644408c2532a535b4f367e3d5b6d1ef7f8ba8afc3bc111164fba7e05a36da31c842673e708e679198140bf6cf45e0a

  • SSDEEP

    24576:ek2FZ8fcs/QYe8a0xafPXL4sbzraP1CdGxZ77AsgfZOR:oZ8ksne8a0xafPXvaPwYUsn

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
        PID:2008
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
            PID:4704
        • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
          "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"
          2⤵
            PID:3208
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:4908
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
              PID:1520

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

              Filesize

              326KB

              MD5

              4ff06a33c8a7f9b17468a95e88f690c7

              SHA1

              917f7d8e8f6ac2603a2a1b5959f44b86e7b36ebb

              SHA256

              615904af68bd931ffad42d2868520dfc1e5e09889bb653c272531d154dc7f6a0

              SHA512

              05aff23b62a15e2efeb9f3a75301204252e766a4a8c8104f9fda086ee47e62f5e5bb7cc9595ba62721ef172250a11be16da67f4bd68a034d75ffb2dfbb061004

            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

              Filesize

              9KB

              MD5

              7050d5ae8acfbe560fa11073fef8185d

              SHA1

              5bc38e77ff06785fe0aec5a345c4ccd15752560e

              SHA256

              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

              SHA512

              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

            • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

              Filesize

              1KB

              MD5

              dbbe3b2e56558f128653635d80156427

              SHA1

              692dcec13ab48af5614982611af2cc048a30035f

              SHA256

              62ea3456f7158f1d8fa340cdcb9e7cf18f4763c66829c0aba175f6cd873e8961

              SHA512

              e47e76b71849f45a54b172762dcd023d6bdf03d37e3c22f33424a986863a24741352a7f021ea974cd42f15424ec6cf64dc436c16ea11f6572407bc09541c5a08

            • memory/1520-33-0x0000021DB49A0000-0x0000021DB49B0000-memory.dmp

              Filesize

              64KB

            • memory/1520-65-0x0000021DBCE10000-0x0000021DBCE11000-memory.dmp

              Filesize

              4KB

            • memory/1520-67-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp

              Filesize

              4KB

            • memory/1520-69-0x0000021DBCF50000-0x0000021DBCF51000-memory.dmp

              Filesize

              4KB

            • memory/1520-68-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp

              Filesize

              4KB

            • memory/1520-49-0x0000021DB4AA0000-0x0000021DB4AB0000-memory.dmp

              Filesize

              64KB