893a864ee28a6ca677a90873099a6f816e7fbb8e604f7fc9e4ffa90167d61001

Resubmissions

24/02/2024, 12:33

240224-prj85sbf84 6

24/02/2024, 12:32

240224-pqstwsbf58 1

24/02/2024, 12:28

240224-pnngdscc7x 6

Analysis

max time kernel
3s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HK416-bonk.mp4
Size

93KB
MD5

f7aaecedf1d24e05de0641cd686cd075
SHA1

ab7e8b802dc8d406ba093c721d1cc88fc7aaa9df
SHA256

893a864ee28a6ca677a90873099a6f816e7fbb8e604f7fc9e4ffa90167d61001
SHA512

a9ebc2e5fa1e74c954cf1e944eecd32b2cc30e0f9a9055747bf47f01f5bc02f42b72cde72f72d7ddc1c82d7108956371a84c35eb007a90ad7b446e2891dbda88
SSDEEP

1536:z8iPfqSSI9UQGo7BxnZQOdtzqNVQNolHuesWrOWD7wZX42NtOSP7T8F4D7q9fU8x:giPfZo4ZhtONqNkHuesZUiX42VXJ3CUO

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3296	unregmp2.exe
Token: SeCreatePagefilePrivilege	3296	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1008	1000	wmplayer.exe	72
PID 1000 wrote to memory of 1008	1000	wmplayer.exe	72
PID 1000 wrote to memory of 1008	1000	wmplayer.exe	72
PID 1000 wrote to memory of 4444	1000	wmplayer.exe	73
PID 1000 wrote to memory of 4444	1000	wmplayer.exe	73
PID 1000 wrote to memory of 4444	1000	wmplayer.exe	73
PID 4444 wrote to memory of 3296	4444	unregmp2.exe	74
PID 4444 wrote to memory of 3296	4444	unregmp2.exe	74

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\HK416-bonk.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\HK416-bonk.mp4"
  2⤵
  PID:1008
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
98df921f667bf303621c789390ed9f2e

SHA1
d9c82e51534cf1c2eb5a255286de6a09ca364d1a

SHA256
8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

SHA512
58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
805573f7961baf2ee44d2d4d82385e88

SHA1
f92732be5fd29e359a90b198daf6c43aace9cbab

SHA256
770ccd2e55e43b4d72edecbca18595c062d5a7181bd1acc48263379d9bbd3b8d

SHA512
3870948ba0ecfecf46b78c9b5e977ab0dd504658a815d82527585aa251276c01452562ee2873068d9eab7e6bae65c3040b337b71dce35e8d6df78728273a87f0

Download Submit