ad15869dd2adda745da583f9c1038ffdb127d7a2bab682b82c9858fd64c32301

Resubmissions

25-02-2024 23:20

240225-3br6psfh6s 6

25-02-2024 18:44

240225-xdwc9aag71 10

Analysis

max time kernel
456s
max time network
1177s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crashed_by_vohr.mp3
Size

9.3MB
MD5

0d813790b342f04e991a7f07487d39c7
SHA1

b3b73c636113390813ed338e83530120b5d0b9cd
SHA256

ad15869dd2adda745da583f9c1038ffdb127d7a2bab682b82c9858fd64c32301
SHA512

49b666e7dbed2903a544e04a2a1499537293fb09410d6391fd0f4b9d421880211930988e6aaaa5a99f2ccfd13cd8f7c6237270b34a7dd4fffe33bc13c252cc6c
SSDEEP

196608:OHK+1paMFx7zrfwVsZ1ZfjqkKIdPhvy/dxP:5+14MFx7HfhXfxdTKHP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 3408 unregmp2.exe
Token: SeCreatePagefilePrivilege 3408 unregmp2.exe

description	pid	process
Token: SeShutdownPrivilege	3408	unregmp2.exe
Token: SeCreatePagefilePrivilege	3408	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 1132 wrote to memory of 3736	1132	wmplayer.exe	setup_wm.exe
PID 1132 wrote to memory of 3736	1132	wmplayer.exe	setup_wm.exe
PID 1132 wrote to memory of 3736	1132	wmplayer.exe	setup_wm.exe
PID 1132 wrote to memory of 2716	1132	wmplayer.exe	unregmp2.exe
PID 1132 wrote to memory of 2716	1132	wmplayer.exe	unregmp2.exe
PID 1132 wrote to memory of 2716	1132	wmplayer.exe	unregmp2.exe
PID 2716 wrote to memory of 3408	2716	unregmp2.exe	unregmp2.exe
PID 2716 wrote to memory of 3408	2716	unregmp2.exe	unregmp2.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\crashed_by_vohr.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\crashed_by_vohr.mp3"
  2⤵
  PID:3736
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a20a490b10b140c3aafe92d29dadf43d

SHA1
1af47a90ee4dad2f65a0d14f0e0496bdaed26f97

SHA256
65b2ba1030eddd7228db161c0528849a9c8187125fe95a981f22260bfa7e80e5

SHA512
7fda0abf63406147529c63c46f6b6b2f772864fc2ebd32c678d9fca236a3f473864800103c2fb67790c006cd2eacff4ab2ce3751f4c9480e355d97e8f4812efb

Download Submit