8ba9d4a2568da3b4272eaf71d4b30946bd2d5b7569aa2376e62a4e3b6d887a48

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1029.mp4
Size

2.8MB
MD5

d2da843bb0e800ed5ae4101033f10ac1
SHA1

9d04ae022ba07841f60670bc8f131327b4676d43
SHA256

8ba9d4a2568da3b4272eaf71d4b30946bd2d5b7569aa2376e62a4e3b6d887a48
SHA512

35d8522296e235982b22e68861fedebe6d34460928251d2c9cf0f120e2555c1fdd17b7bfecd59c1a6e20a4c0d9f1165ea7aa0eb330968633f2e00ecff102f72d
SSDEEP

49152:8CXUV+5tlgTSo/Q2MLQJxIjVfAglsNp0BjYkG0PSXtWTfV5BDZ:8CX9xZo/Q2MLQwVfpsD0BatAt5BDZ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5020	unregmp2.exe
Token: SeCreatePagefilePrivilege	5020	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2136	2784	wmplayer.exe	89
PID 2784 wrote to memory of 2136	2784	wmplayer.exe	89
PID 2784 wrote to memory of 2136	2784	wmplayer.exe	89
PID 2784 wrote to memory of 748	2784	wmplayer.exe	90
PID 2784 wrote to memory of 748	2784	wmplayer.exe	90
PID 2784 wrote to memory of 748	2784	wmplayer.exe	90
PID 748 wrote to memory of 5020	748	unregmp2.exe	91
PID 748 wrote to memory of 5020	748	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\1029.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\1029.mp4"
  2⤵
  PID:2136
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
ab57d6576bac817e24e09b125a2fc42f

SHA1
0fbec340b8ec1256b89d115f2598853a281312ba

SHA256
1f85be4464de03096c5272ec692fb71cd9f0f6ac485c4f47a984513b3990c5ac

SHA512
d3d1077369971f56eae10b2737552e93658df660fa06b627606c2ee5c8cbff2d0247401ff259d95ce1bc6757e79d869a7acc3bbcf1eadc1a1eaafc9be4d17faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
4221837e4013226818f3d3cb21ec9722

SHA1
5ebd597aae97b3a8e4c6a6422c7503c0fb5811df

SHA256
adc14e77ff3101164a3ae2a34db2559a70b8b3d254f33e9ab41f27f2fc5f58a5

SHA512
40852aeaf8f2763081c5503763fc2c997b980dec6e414b3a0bf9164d8f0ff9244a2a823bfd28e15f698ce22fb45029e90b8fc1225ba6855a400ee00d31427694

Download Submit