0eff8cb2392a8c88752dd630e9b73706d5457098c9aa84ccd46cf3c88d5e77fa

Analysis

max time kernel
1333s
max time network
1167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_7726.mov
Size

309.8MB
MD5

20ecc3d01299f85d30664993200a6a49
SHA1

d64c6f56e250a2fdb62ecd98d6019fbbbe08d1f8
SHA256

0eff8cb2392a8c88752dd630e9b73706d5457098c9aa84ccd46cf3c88d5e77fa
SHA512

ba3ba0f66b4fc8c2301a70ad0712dd5b2817a4ef29a4354a17c48af6dd58fa63132546a6362ac84e6399e13de610f815f7aebcadabc1f84dbec676c76b32660d
SSDEEP

6291456:ml1pGtvIJSAiLpcSjhSzWBu81m054LFwE2eVXrOWoJBV:mxJXi5hSku81mwEBRHoDV

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4120	unregmp2.exe
Token: SeCreatePagefilePrivilege	4120	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3956	4776	wmplayer.exe	83
PID 4776 wrote to memory of 3956	4776	wmplayer.exe	83
PID 4776 wrote to memory of 3956	4776	wmplayer.exe	83
PID 4776 wrote to memory of 2204	4776	wmplayer.exe	84
PID 4776 wrote to memory of 2204	4776	wmplayer.exe	84
PID 4776 wrote to memory of 2204	4776	wmplayer.exe	84
PID 2204 wrote to memory of 4120	2204	unregmp2.exe	85
PID 2204 wrote to memory of 4120	2204	unregmp2.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\IMG_7726.mov"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\IMG_7726.mov"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
dbfc662304aa4236ac6c685fdd3ee597

SHA1
bee96b9256c93a35398a8c6a341da9470c6101c2

SHA256
dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

SHA512
6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
36850e472f17e9c2dfbdcd688e4cc7c1

SHA1
2d12fe875ed9cc4f1a7762baa323a6a678a7fbf6

SHA256
749b450cb8f219a2cedb37ae557fb82c2c7fe2bb182559217d5d7fcf0cb19c59

SHA512
15e2d8ae762b91fc20a2dcb58bebf07866c50cabfb16a8f697e4eddb63bbafd133d5342fb9cbd58fb714c1bc7c1d10929b13b5711477fdb2d1ecacf48d30e836

Download Submit