26efa8b5bd37a5a0486311c7a983a6cca22c0887369889045325fa8a3e7dc908

Analysis

max time kernel
129s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAGINA x FORCE.mp3
Size

4.2MB
MD5

fed815ed1d8704ed2a32d3d6389c26a7
SHA1

07e11cb0639fe6d0b2f55f88de6e5752ab65b506
SHA256

26efa8b5bd37a5a0486311c7a983a6cca22c0887369889045325fa8a3e7dc908
SHA512

2382894774bb5edafbdc3314d9d53b694acd03bc337dae6c74a9dd4d0aa78375cf27e7558b74c21bbd3e83f7a393864af7734cb6813841c5dc766390dce67ef9
SSDEEP

49152:NaozkU9TJiiIMjdcHxeZhxfndmwuI6tALGkH9NUCKtejuJeBSmRT5DLztv4lzfB3:pzX9ZvnswuI5pd/e/yH14tyHnKQhkCeT

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	unregmp2.exe
Token: SeCreatePagefilePrivilege	2076	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4840	1712	wmplayer.exe	83
PID 1712 wrote to memory of 4840	1712	wmplayer.exe	83
PID 1712 wrote to memory of 4840	1712	wmplayer.exe	83
PID 1712 wrote to memory of 3820	1712	wmplayer.exe	84
PID 1712 wrote to memory of 3820	1712	wmplayer.exe	84
PID 1712 wrote to memory of 3820	1712	wmplayer.exe	84
PID 3820 wrote to memory of 2076	3820	unregmp2.exe	85
PID 3820 wrote to memory of 2076	3820	unregmp2.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\MAGINA x FORCE.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\MAGINA x FORCE.mp3"
  2⤵
  PID:4840
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
063793e4ba784832026ec8bc3528f7f1

SHA1
687d03823d7ab8954826f753a645426cff3c5db4

SHA256
cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

SHA512
225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
fd0bcfc44f0d0724e14cea3af0ad11e0

SHA1
039e419e71fddfa019814cb4286bc52debc9e3a5

SHA256
5410f30d072f478d6c1d1d697aa2caf2f49294c85e8ba9027c0af20c520d8623

SHA512
b7ec2b41bfd34dec466a63d89ff076a041f675ab60cc4d20dea89916273fddc298e4dc8140aac062aafa1545cc0056ca376235b5388bc0571b9a699547e5ad58

Download Submit