5238d48cc96b09b7b46def69e58eb2dddd0a0172ebc8218f08871d2a045cf9e7

Analysis

max time kernel
143s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hydra-main/src/main/events/library/remove-game.ts
Size

503B
MD5

4eb233f2a2b69a31a12527e0ebf664f7
SHA1

bdfd2b70d8b2a885d184b27e61fc52bf4b80c6fc
SHA256

2900aed8bcf509755844af43a713639a8b5c789c53b30d102e386ada1e71cb70
SHA512

ec0b9bb372f53edd7b6b38e64bb741beb8cec1c794fef594a0eba873f761661c86e4280edc0abc97529a91d52f4612cb0429c0490622e76aa7b7e55a13b0c9c6

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	unregmp2.exe
Token: SeCreatePagefilePrivilege	1448	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4632	2748	wmplayer.exe	85
PID 2748 wrote to memory of 4632	2748	wmplayer.exe	85
PID 2748 wrote to memory of 4632	2748	wmplayer.exe	85
PID 2748 wrote to memory of 4496	2748	wmplayer.exe	86
PID 2748 wrote to memory of 4496	2748	wmplayer.exe	86
PID 2748 wrote to memory of 4496	2748	wmplayer.exe	86
PID 4496 wrote to memory of 1448	4496	unregmp2.exe	87
PID 4496 wrote to memory of 1448	4496	unregmp2.exe	87

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:12 /Open "C:\Users\Admin\AppData\Local\Temp\hydra-main\src\main\events\library\remove-game.ts"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:12 /Open "C:\Users\Admin\AppData\Local\Temp\hydra-main\src\main\events\library\remove-game.ts"
  2⤵
  PID:4632
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
f63420442b67dfd4d341e8db8dd5ec7f

SHA1
6472a539757ba7ccade29887f2d86eea95b36af0

SHA256
48ef6c07237ebb2772b4ace5a724b6fe081eb4dc3f596955ab0fbe8d0fc064d7

SHA512
d43f7f4dedaf56f2b54951ef05fc7168e9d0d3829d5a8678ed6df4c10509259a4a86b0bc6e017397aa981a3908c5b00688bb668f7bec32a2a73fd6333fa82c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
50c2ce2a620417f1596534e46344dc10

SHA1
1d3d48c9062f52e1a7d739e0f0f115e9eb725310

SHA256
6c16df8af5fd4de38790ee2a5b402533846f15180a8e806970d70c06fc822d42

SHA512
ca26e3be1a4a0f3e200874921dedb5cd17470862ad86b6e5108017be8b09b27a02132a9f89f6bd9819f328953af466d383693f3f58905516c4a96abddd7cf437

Download Submit