Analysis
-
max time kernel
25s -
max time network
43s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
02/03/2024, 16:28
Static task
static1
General
-
Target
-
Size
53KB
-
MD5
6536b10e5a713803d034c607d2de19e3
-
SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7
-
SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
-
SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018
-
SSDEEP
1536:ynqAKryDLrASOcRw52sjzIUK7RkYrJ2lrKX:SNdMT8Z8cX
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" [email protected] -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease msinfo32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe -
Modifies Control Panel 21 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Menu = "57 99 26" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\MenuText = "43 130 221" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\WindowText = "238 24 128" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveBorder = "227 220 160" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\GrayText = "183 210 152" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveTitle = "179 65 168" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Scrollbar = "8 72 46" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ActiveTitle = "213 163 203" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Hilight = "243 219 43" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonFace = "165 201 45" [email protected] Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\AppWorkspace = "225 5 109" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\HilightText = "247 204 196" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonText = "188 34 45" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Background = "96 191 222" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\WindowFrame = "95 205 87" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\TitleText = "121 133 143" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ActiveBorder = "40 55 168" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonShadow = "172 156 196" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveTitleText = "10 209 60" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Window = "97 213 63" [email protected] -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3616 WINWORD.EXE 3616 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3372 unregmp2.exe Token: SeCreatePagefilePrivilege 3372 unregmp2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3616 WINWORD.EXE 3616 WINWORD.EXE 3616 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4748 wrote to memory of 2308 4748 wmplayer.exe 78 PID 4748 wrote to memory of 2308 4748 wmplayer.exe 78 PID 4748 wrote to memory of 2308 4748 wmplayer.exe 78 PID 4748 wrote to memory of 1472 4748 wmplayer.exe 79 PID 4748 wrote to memory of 1472 4748 wmplayer.exe 79 PID 4748 wrote to memory of 1472 4748 wmplayer.exe 79 PID 1472 wrote to memory of 3372 1472 unregmp2.exe 80 PID 1472 wrote to memory of 3372 1472 unregmp2.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Modifies Control Panel
PID:2012
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\HideEnable.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:216
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:2308
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\NewCopy.docm" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3616
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\NewCopy.docm" /o ""1⤵PID:1076
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetRequest.odt"1⤵PID:1252
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\HideEnable.nfo"1⤵PID:4620
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:2732
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:4184
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2408
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1680
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2204
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD50e807656bd86f2aef7ccf207f963973b
SHA127052af8d103d134369e356b793eb88ba873df55
SHA256c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4F398924-F001-4C4A-B205-D555F0538505
Filesize160KB
MD5bc592e37a22535a30a54b262b57e15d8
SHA1739deaca786b0c5c03ad42295f07a34cf38beeec
SHA256f7f92bd9260b0a84db6ab72615f428a9dfd149c3b183b686d826fd6f465dbe74
SHA5124d223fb0818e20b4e1b3bf6756f473df2baadf5cff2fbfbf7b15d318bc8433b0a9d4c75d8649a46e6f94e7970d70e4adbad35b975179e9b11541b1c7e7513336
-
Filesize
8KB
MD5d6f790e9092792ec798abaff6d5b7692
SHA119c4dd5a1ab6cbe4d4c6dc01af7a903f31a25bbf
SHA256cbb884793cdbfea7fcc7abdabf846d8d0e368f13824236e1cc8bb5616a6e45ce
SHA512595af12cf1d1aa1a2f06fe68c6012909c41356dfc8921f27a8522a16be285c6788a796039ae5ae6956a01c0416f924313c653b854f48ea397f7b208c3b38dac9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
Filesize2KB
MD554d28c7816baa9dda1c88b0ea57623bb
SHA189bbd55270a05fa4efaf6fd6095bf91d480d98ab
SHA256772414f615d8ba5d1e1357f5a1e03c57814f13d71f92b58c9e609f927ab29d01
SHA51247538b78d7b78f69f3abd0f1903bba72ab964ddace6d931a16b50af93f0997f324d21d99802ec10a2a0ab98b3722dc2241e063ad966426c868fd409d61b6baad
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\Microsoft\Windows\3720402701\2219095117.pri
Filesize207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
1KB
MD5557b5ff876a2be11fc93b5f49b3457ca
SHA15b2603ad1089bbb3dcd297936d09d8a4575dbd76
SHA2561bfad6a29150153ceb9cd16f12548ba7a565d76857b43b1b75a06459635f8de3
SHA512da6afe412d98380964b230cd1b8634e8b5baa5dfc493b4791157d25ffbcaf9d674bb5b5ad4201ff3482f8da432b74650db13d91210c60952ffdf1b0174684e45