377cee75f76ff14939dd062cca5363a6c48d5dce9c3e9b67bfcfaf98b3f39a0e

Analysis

max time kernel
1410s
max time network
1175s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

webcammictest_3_14_2024_6_44_29 PM.mkv
Size

2.0MB
MD5

5a3327451b9e2e895d1a48f4369cd515
SHA1

aa09a7c70f9bd7202aeb64c608edaa0fd8fc431f
SHA256

377cee75f76ff14939dd062cca5363a6c48d5dce9c3e9b67bfcfaf98b3f39a0e
SHA512

6f3055587fed8da9ccbbffc96031ffde3cf43e43ae0d9de4b2d2ec6ae8f618019d37ecaee860b7884c1e31e75ba051d215e9ee454da9499b15bdfbcdd9a0511f
SSDEEP

49152:wb2IxdY488lc0OGkW9bk4mRulCwDeoVvJk/lP3A31gfV7dOs:wqIxdY48rT1qbXmRSReoFy/lP3A3yws

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	unregmp2.exe
Token: SeCreatePagefilePrivilege	1924	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 960	5016	wmplayer.exe	81
PID 5016 wrote to memory of 960	5016	wmplayer.exe	81
PID 5016 wrote to memory of 960	5016	wmplayer.exe	81
PID 5016 wrote to memory of 1032	5016	wmplayer.exe	82
PID 5016 wrote to memory of 1032	5016	wmplayer.exe	82
PID 5016 wrote to memory of 1032	5016	wmplayer.exe	82
PID 1032 wrote to memory of 1924	1032	unregmp2.exe	83
PID 1032 wrote to memory of 1924	1032	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\webcammictest_3_14_2024_6_44_29 PM.mkv"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\webcammictest_3_14_2024_6_44_29 PM.mkv"
  2⤵
  PID:960
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
255a369f34dde3ae295134b078a51d4e

SHA1
bc538fc5b21398af2e4b62e6bb50d9956517fb5b

SHA256
cca1c0f3904bc5c89ce672e90ad14a9b238633e2ad38d2be9869cc3e6f4e138d

SHA512
a39e0d98f2e8b75edd09845202dcd9ceec03cdded438ab636fd860ed65dd790bcd5f37892ec82367be77843dd23889c261a1775ed3f5bbfa8824b3ccb5aadd91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
9b0e6a3b36c6068e20b3b365393478fa

SHA1
7e538d2bfbfea44524bafc0f15f4aca2a1f04d5b

SHA256
11da45c7608e7eba6cdb20e9215f4dd8ef15f2ee71d55e4b0dbeca2aeb9eb4f0

SHA512
e28f0a4f7c204bd9d5bcba213d163c8c849f139bebbfc0bb98f678416358b6e8634d9a0dbb16afbb0ccbf27c434e7c2b98df4ab188a38318179aa5e0a538fde6

Download Submit