2a29407a012be17087edc4de06d1c4ae96f72ae52097aaa98bc2707d7d7624c7

Analysis

max time kernel
90s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$INSTDIR$_8_/Data/amp_models/Marshall JTM45 - Matchless Chieftain.wav
Size

4KB
MD5

14071c09dc0fcddc7c946ca2bffeb959
SHA1

a130721134a1a173a7a35ca9e01a386aa0089049
SHA256

f48c5bb9d4515a0de774181e043856e444d29adbb46ffb454480b2824e43bf42
SHA512

c98d75605173f67935f425dc37a8316c6e8f911daa1e7660d433e60b68c9d235a29ba205a8a9c4336bb86fbcf62398685aca5399f9f1acc638e9c08c757e919d
SSDEEP

24:LU8hwj97QAxEmusQVpaXCUG/SI6Es6g8K:LU0wVXEmCVyGB6fv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	316	unregmp2.exe
Token: SeCreatePagefilePrivilege	316	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1416	4688	wmplayer.exe	85
PID 4688 wrote to memory of 1416	4688	wmplayer.exe	85
PID 4688 wrote to memory of 1416	4688	wmplayer.exe	85
PID 4688 wrote to memory of 3788	4688	wmplayer.exe	87
PID 4688 wrote to memory of 3788	4688	wmplayer.exe	87
PID 4688 wrote to memory of 3788	4688	wmplayer.exe	87
PID 3788 wrote to memory of 316	3788	unregmp2.exe	89
PID 3788 wrote to memory of 316	3788	unregmp2.exe	89

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\$INSTDIR$_8_\Data\amp_models\Marshall JTM45 - Matchless Chieftain.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\$INSTDIR$_8_\Data\amp_models\Marshall JTM45 - Matchless Chieftain.wav"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
fe031cf476a70ce46f5ed0b82e08d8cd

SHA1
8aaa77da0dc0107a5d14943e9007a3b6a296a02f

SHA256
01ee57c092dcbf9863521d824c30725dca0def21b62f17196d9ff28a1fac6a1b

SHA512
23bf150b400cba27ef72dfb918d50620330afc07a6e12fda967a2ff75a33c09ecbe36096b42f9763472b3cb04fd7b3c20320bed89077c8b6f033d9f6573963df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3bd2b442e9be675ab5742d193cbf4e63

SHA1
f28f3f18976acf2e9df160dbf4b6ccd02bf877fd

SHA256
4e477332d4a0a04df8f5ed6ddd01ed69ac405dc4744c0ac0845f1ff832bef309

SHA512
931d2a45e759ff94d9c81a34d79e1e0e8bc0951999ce67d6bb05c590ada4e5160a3b2c6e6f1e4ccb62497275e66bfb352117b6171417e4f119de6a3e86001f19

Download Submit