981eeb419fd3ac1a7701cebe39149c89c8ba22a389936e93b3984d9640fdfad8

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

art/sound/engine/0BE1F1A5405C187702AEE893B40ABF5F/EXH_1126_P.wav
Size

190KB
MD5

8592fbaf555d6e2e305e433a586f0593
SHA1

62ccb8131df4265e895fb9a685fd3a6c72c56c14
SHA256

05425137e97c954b4d6219f062bd2233879708579e3bd3a0b3daad5db38b7853
SHA512

4b11d2d3029378fb28373166ab984c8432d37512f044ba31a0a46a813019e66836b04f407025a709fa3ce20c511b855aceb1f586e4ebec2b8bface3efb312ffd
SSDEEP

3072:zFsFNkUeP8JK0MDcCrbXvXTgQMxW7wBmTY/y/2eltmKUGKITPkar1zd6FyNMe:zUWUzXMDcuDIoSPRUsar1AFeMe

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	unregmp2.exe
Token: SeCreatePagefilePrivilege	1648	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 808	512	wmplayer.exe	85
PID 512 wrote to memory of 808	512	wmplayer.exe	85
PID 512 wrote to memory of 808	512	wmplayer.exe	85
PID 512 wrote to memory of 2240	512	wmplayer.exe	86
PID 512 wrote to memory of 2240	512	wmplayer.exe	86
PID 512 wrote to memory of 2240	512	wmplayer.exe	86
PID 2240 wrote to memory of 1648	2240	unregmp2.exe	87
PID 2240 wrote to memory of 1648	2240	unregmp2.exe	87

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\art\sound\engine\0BE1F1A5405C187702AEE893B40ABF5F\EXH_1126_P.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\art\sound\engine\0BE1F1A5405C187702AEE893B40ABF5F\EXH_1126_P.wav"
  2⤵
  PID:808
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
6ce7fa716eb7aefdd1f3ef713dc26612

SHA1
2ae138b9ac3ace8236363e688642c3a6bc9f6457

SHA256
25389d6a10b93d09f70935f60e2c3f9f7da52dd0d3b01e0b168bd7c10b0bb769

SHA512
048d17b2a1d72b03c7c2d5982712eb9b15a4246ee068899ada14d6c551cf33f086ff49f61cbc7790df7e4f16eb43b4ec0ec4bbbab9d63b9b70c1ec06fe498ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
6c4b6c0a14f49c5779faf58dcb2dce15

SHA1
3efdd19a5a86b8f4a3b87cdffa66a921c5f6e4db

SHA256
8afedef3b85a1b92a6d0745d06db23d3b9d5a073eb821cb69cc9470dee7c667d

SHA512
797f80da2b32b26c1865b2741cec9f037f560da62117aad49019dfde98ece07e8eb88fcaafb8ad5eb441a47948581eb04af02e33ef80241ee7325d0f56db720e

Download Submit