9a849553dc8b95453d415b46b74aa15d34e38c42ac6ae7aa9b7a60c21f260e73

Analysis

max time kernel
1376s
max time network
1173s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RPReplay_Final1711696303_prob3.mp4
Size

31.0MB
MD5

5ea1adf1e33ad093b1c27a02571b68c8
SHA1

cb66b0d6d23c7e10ec8ce9d39537acb1f463ab38
SHA256

9a849553dc8b95453d415b46b74aa15d34e38c42ac6ae7aa9b7a60c21f260e73
SHA512

e74dff6d848684f27b0cdfb9f63dc3bed1a5207f8ff0dafea8e23760552fcc110fdaab3b85b13e8e1f88df79e8b77a8cb9d939b340c0e93c99a8149e18e192db
SSDEEP

786432:KDjHk3WLDnWlJCvX/pOguq3ir486yTemVNc267Tnjrst:KPHk3ADjoguKy6mVBGQt

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4044	unregmp2.exe
Token: SeCreatePagefilePrivilege	4044	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1236	2152	wmplayer.exe	89
PID 2152 wrote to memory of 1236	2152	wmplayer.exe	89
PID 2152 wrote to memory of 1236	2152	wmplayer.exe	89
PID 2152 wrote to memory of 1660	2152	wmplayer.exe	90
PID 2152 wrote to memory of 1660	2152	wmplayer.exe	90
PID 2152 wrote to memory of 1660	2152	wmplayer.exe	90
PID 1660 wrote to memory of 4044	1660	unregmp2.exe	91
PID 1660 wrote to memory of 4044	1660	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\RPReplay_Final1711696303_prob3.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\RPReplay_Final1711696303_prob3.mp4"
  2⤵
  PID:1236
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
0bb2fd228acc87ed5fd007c6b27c08dc

SHA1
7aab3ca1e8e3e468093c47b69b95f7cb1dc82c70

SHA256
6fa66e331c176473c46c6e05c32cfecccc7b5dfa7431d0fd964b66e36e4be96f

SHA512
2482fef551adf338fc564a942d460f16012f51dda0c1676fc43929718a4c6f3a6d31c5189eec2427a63eb3fc225c00c943677a4164c64c5f0afded5a09f1e008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
99832820e3089204a014a077b6cf2303

SHA1
c88edafe572ab2de97b391f09854d83c5302fa69

SHA256
57796dbecc62c70f8a6b06b5e1809d7e36b4d68a9fb97f600de76824e8e5b593

SHA512
84d3132cfda9942a41e2f04ccadba15bfd3c23c387d86b3df53b9ecd8156846c958cb697cf575dfcee028d971f8ab904f9d24fb48d39c2c9ffe84e028fa4ea92

Download Submit