981eeb419fd3ac1a7701cebe39149c89c8ba22a389936e93b3984d9640fdfad8

Analysis

max time kernel
139s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

art/sound/engine/0BE1F1A5405C187702AEE893B40ABF5F/EXH_1476.wav
Size

190KB
MD5

be9bc7f8382029f0978c8961169c4dbd
SHA1

7c77be1cc96317c16364bf2a3f3e9ee7ea0bf055
SHA256

4a5917cb03e80576946a4a207c9efb0537407a688744a62bd5b337c38559ab68
SHA512

5f945cbdf602cc5ec64f6768c460e7883e1983a983fcb73c8aa1d6e1fd3f598b26009221f066ca13cb0c1c6e0317ca2ea7a0471216509534101264c869b75ff2
SSDEEP

768:/hHtoNyn8q+aiiJ95tbLqft2OKmolp2mTDEJLOLRM3RH5ZKmm+8pvI+KoFwqq4DU:foYki74oFgEEI9iPm4T

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4832	unregmp2.exe
Token: SeCreatePagefilePrivilege	4832	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1328	2816	wmplayer.exe	88
PID 2816 wrote to memory of 1328	2816	wmplayer.exe	88
PID 2816 wrote to memory of 1328	2816	wmplayer.exe	88
PID 2816 wrote to memory of 3340	2816	wmplayer.exe	89
PID 2816 wrote to memory of 3340	2816	wmplayer.exe	89
PID 2816 wrote to memory of 3340	2816	wmplayer.exe	89
PID 3340 wrote to memory of 4832	3340	unregmp2.exe	90
PID 3340 wrote to memory of 4832	3340	unregmp2.exe	90

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\art\sound\engine\0BE1F1A5405C187702AEE893B40ABF5F\EXH_1476.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\art\sound\engine\0BE1F1A5405C187702AEE893B40ABF5F\EXH_1476.wav"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
fa81ac9d11312d08cda5318b23f5368f

SHA1
efb02c7b93caa23466c27eed2f14a8bcb65722dc

SHA256
383d9228bc970154fff16b12944f98d720f95c497cc181db04fd5c92324483e2

SHA512
46d6c97115b54bb2844b2108456c3ed4641e1431e747859f9186ba5f581d11aa873e57e89897cc167f28fa77603134fcf5223ebf1389e6512fd575a506ae3b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c4ce68fb7bb533bf2619d35545436de3

SHA1
64a38c63378d0255b2580e9cfa6b822d05fb7329

SHA256
7d10ad0b0ef11eb01bd2fd8f1b5644679106cf67a07b0c1df7ec37a9215a5208

SHA512
7f61d4609ebb1da258a82eeba7ae4d6ea0ad28260fe95e7c948606b8a84b87d28f792a3c215bc34373db0001992ab9f7aeec98a281c7d413d23b8ea520c5a40a

Download Submit