2503f29cc195371a6556b0c271504c61cdec5cbc12791d05c1893be713e7749f

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/05/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f734a813c15-master_playlist.mp4
Size

10.5MB
MD5

68896fd6f0dc69d62fad2a6878fad57d
SHA1

6ea058ea2e3a2b328ef717645aca8a78a16037ed
SHA256

2503f29cc195371a6556b0c271504c61cdec5cbc12791d05c1893be713e7749f
SHA512

72928efc510b50002c287b0a135bf07c08f426a678746b4cfc93fa6e60a4e3986e4ea7743a1a19a97665ad2abf3c0608a3f85f787a5a993e831e3ae37defac58
SSDEEP

196608:Vb5N2UuRJVoKdqhi7HOFlwX5lN3gFDO+Q7fCOZh+Bk3tQwRiie+t9:lURJVXaFGVQ9O+Q7ftdQyiij

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	892	unregmp2.exe
Token: SeCreatePagefilePrivilege	892	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4268	1360	wmplayer.exe	77
PID 1360 wrote to memory of 4268	1360	wmplayer.exe	77
PID 1360 wrote to memory of 4268	1360	wmplayer.exe	77
PID 1360 wrote to memory of 3116	1360	wmplayer.exe	78
PID 1360 wrote to memory of 3116	1360	wmplayer.exe	78
PID 1360 wrote to memory of 3116	1360	wmplayer.exe	78
PID 3116 wrote to memory of 892	3116	unregmp2.exe	79
PID 3116 wrote to memory of 892	3116	unregmp2.exe	79

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\18f734a813c15-master_playlist.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\18f734a813c15-master_playlist.mp4"
  2⤵
  PID:4268
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
4e74a9605432144116fd448bf2e56023

SHA1
db892d2f0755ece5ee8975e69b082efc4c7c7bd6

SHA256
fa17c7da7b02ab3bcfc24db668a7adf86fe1d1e754ca893385b9a1d089d1a54b

SHA512
869a7b5aef860a7c3774e37f8b7e7a18c3c2cbe1eda4b1158b8d40073205d06c5229b0c3a34afafabd98c3b17d1c613cd966e420167d2664d06b8f5b7d0c28b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c2fbfec45248bc807d2e1720449cb719

SHA1
5c1c07c979b3fea9d96622655a8e4481e2f1d8a7

SHA256
6540313df59fb87e71ddb850dd190f9c07ba24456beb1c79aa44ed942ec4511d

SHA512
5542c3f9375cee8d688975fe927dc84763a2328f99a886f7e55f3341ba0480e7f0a04f3030f6208ed79798cbb31ed7567eb97a2bb61245399f6dbb2e3f1d1bec

Download Submit