c95f37ac4a63b77b5a5a420ae603552cb71642c578488b784d10775f40be9d21

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30-04-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOUND1.wav
Size

54KB
MD5

38b1bea5b20ab16f35c8cb1c4173102e
SHA1

dfe41d51a938ecfae109bbbc61a123591e41b327
SHA256

6b2b9e2bdd1ca7854c44d93f86167b6f54fbd0cd702aee47a46b5807a74d4571
SHA512

17653385727adc4aba276ac198d980d9a0be20a4e645078895a54e01825419db62d47836aa47e84c04db3e703f4857c9b87a231bc00eb74793edc991b88a478d
SSDEEP

768:DeYdDJwqopA7vkRsofj6BFQidZlLh3p8SSqu6xOYRsUhMUXaWmMCMlyiE:L7lAKUsuuXhZp5pSkRsUyyBFlHE

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4380	unregmp2.exe
Token: SeCreatePagefilePrivilege	4380	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3956	640	wmplayer.exe	81
PID 640 wrote to memory of 3956	640	wmplayer.exe	81
PID 640 wrote to memory of 3956	640	wmplayer.exe	81
PID 640 wrote to memory of 2212	640	wmplayer.exe	82
PID 640 wrote to memory of 2212	640	wmplayer.exe	82
PID 640 wrote to memory of 2212	640	wmplayer.exe	82
PID 2212 wrote to memory of 4380	2212	unregmp2.exe	83
PID 2212 wrote to memory of 4380	2212	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\SOUND1.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\SOUND1.wav"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
f8463b14a6866c7f8970e134fb19a1cd

SHA1
ffa614c78162cb3c40c6b1679b87b2d0d54d5f2a

SHA256
125750bed180e3b65dcf7756bfa52f4902e355f2fa0b1adc63c9c87b1b523448

SHA512
6d13aaea308c171cc698c64ed2d77d20dbd33a185a9cf4e5a6059f4396b3cca0d5cb2a4ab7b534bb2b338567fee6a51dcd532261dd7d148a6d460a04676f733b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
55c9d683ab4ad907497e0414c4075577

SHA1
069831afc9cf43e5f0e2e010ac10efd877f92744

SHA256
9cf76dad2f88028ea0a6d4296d41322b658b1a72a66499d470eecd9445c023c9

SHA512
92286ae501dde2cf63ee90ba1257200020ec2eda1f5d603d46e0bb0185310eddf1ca4e1c0fb38d8d61143f13d7943340fac7a6cbc4c30e1bf2aabb40efe03eee

Download Submit