af430050f1a36ac9ac0c081d8dac85d706cc8841fb83c626e656111eea30ab94

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

res/sounds/jump.wav
Size

10KB
MD5

f521be49c1322c01a6396d32a8f99252
SHA1

59bddf51e85a618a06119858abce4a5bcab09345
SHA256

be9b4bbe24d0245bda63f46351d2bb24cb64c3e1825596d3f1fe312b8c75f82b
SHA512

aa7b169cda7e5017f63ef33470fd3ff46e0497359a01fbf0530d7443fadb6be94ccdc37d2d9eb1f730815c1f3c528520910c38208b1a8dce8b0f7161b648654f
SSDEEP

192:V2Zn9XN+j8JcJtqnxLCK/gY8OhDzx+KAOVaJXVieGwmhXSZPQxuBmwYOewwLC:Vkn9wjY4twBCKGO/+g8XIesXAPQxuIAj

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	unregmp2.exe
Token: SeCreatePagefilePrivilege	2960	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 4776	1124	wmplayer.exe	89
PID 1124 wrote to memory of 4776	1124	wmplayer.exe	89
PID 1124 wrote to memory of 4776	1124	wmplayer.exe	89
PID 1124 wrote to memory of 1652	1124	wmplayer.exe	90
PID 1124 wrote to memory of 1652	1124	wmplayer.exe	90
PID 1124 wrote to memory of 1652	1124	wmplayer.exe	90
PID 1652 wrote to memory of 2960	1652	unregmp2.exe	91
PID 1652 wrote to memory of 2960	1652	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\res\sounds\jump.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\res\sounds\jump.wav"
  2⤵
  PID:4776
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
369acb2e991fba1b6be44f39b48184f0

SHA1
9458d1a652bdbc72f3c3ee7796b0cdfb669fd0aa

SHA256
3a6d6dbf4146bfb3d9a9326388cea2a674f2934c6bc0b6eb0c4479127086f728

SHA512
711cb273b05fc2f143b273c1ed03c3676ac81c0b625dd70bd8da9d553ae4de515924ad4d718882f8b696f446feceb0bee2bc6cd56791dafd7544c7bfcd49d85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
95fb86bc36a6d2dc4a2946fcca3af8b8

SHA1
dbd82a8c71800362492c4854678f46c1904f7765

SHA256
bd3f6c7c79915e00a764e841dfece44bc0c8d0e913a4daaf2a98aa97c18782fc

SHA512
95e89f52f626e194f9e5884bb9dd40d63e13a243bc4bdf5e12a5889defe959df234d8985d8b9fc114999d6c1204be9b6ce4df1d54310a3713af78052d20045bb

Download Submit