4d5a45b4114607be73e3e2a9a29eb63ac8035e388006e0dd1be8ae3a4920c180

Resubmissions

08/03/2024, 02:31

240308-czpglsea8y 6

08/03/2024, 02:25

240308-cwmtlsdh71 6

08/03/2024, 02:20

240308-csentscg72 6

08/03/2024, 02:19

240308-cr474acg67 6

Analysis

max time kernel
451s
max time network
459s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2024, 02:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

all-my-fellas-made-with-Voicemod-technology(1) (mp3cut.net) (1).mp3
Size

704KB
MD5

0fe5a256aef20be5cc99e274a8e88cf0
SHA1

3c7e1839ced527df5824a514c06956a911fe28b0
SHA256

4d5a45b4114607be73e3e2a9a29eb63ac8035e388006e0dd1be8ae3a4920c180
SHA512

b436cb8ea9576cdfe81b32492b4791385b086bcf43dadc5c1ddc58df15ab5ee6ad1f748e99484f84b42371b8202d7df8b140f160bfda162079c3bf008714a6f3
SSDEEP

12288:7NV7OtwfLJMdgnJjKmgsaF4wJ+vocKJdShPCxuViCvZsDq8FUgRj0CE3L55oQ:rOtwfN0yfgKwJaKJoVpGDTFFhMnoQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2768	unregmp2.exe
Token: SeCreatePagefilePrivilege	2768	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 480	1468	wmplayer.exe	81
PID 1468 wrote to memory of 480	1468	wmplayer.exe	81
PID 1468 wrote to memory of 480	1468	wmplayer.exe	81
PID 1468 wrote to memory of 3756	1468	wmplayer.exe	82
PID 1468 wrote to memory of 3756	1468	wmplayer.exe	82
PID 1468 wrote to memory of 3756	1468	wmplayer.exe	82
PID 3756 wrote to memory of 2768	3756	unregmp2.exe	83
PID 3756 wrote to memory of 2768	3756	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\all-my-fellas-made-with-Voicemod-technology(1) (mp3cut.net) (1).mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\all-my-fellas-made-with-Voicemod-technology(1) (mp3cut.net) (1).mp3"
  2⤵
  PID:480
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
189f9afb0ddeebccf446c000322a7823

SHA1
0a227d65112dc3bd21b98e439ea7c522d4b38ccc

SHA256
6e6edf5a7a2fd104040c5d52401eaa1568ea6ca02d38c0e2c122e3d903fda062

SHA512
7f81576b50abaf09e934682a5c76da96791a2ea76300416eb7a649d3d5014ef96d38d593ee7b0e7dce807bfdab086a2015fef62e3e7623cf46eee24e85c5e012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3f33feb7378f6cefe63024020f1e5ef6

SHA1
0c44f84154125d01c9a035acb74c26190ccdaabd

SHA256
f239e6600ebf2f92f4a8f5b040e76b179e646bec63b5128e537f0ae30bfc8ec0

SHA512
6230dacc924eefbadfd01f1c860e6c515064b25724288ebbcef50c37f8570f6ca331f1d250dfd097f00c88ca8b3963d099b42c7f086b4e324e540cc9b9940c7f

Download Submit