00fc115a1661162fbd2488108f9d142945fc44a9be3fd7c5af277e6b8ceb158a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTube - Google Chrome 2023-12-09 10-16-34 (1).mp4
Size

2.8MB
MD5

5fed90d08c6d47e4ab9c5db32d121835
SHA1

4d0096375ee92a5e1f663a45b5846acafed98d45
SHA256

00fc115a1661162fbd2488108f9d142945fc44a9be3fd7c5af277e6b8ceb158a
SHA512

a0166a6ae0f1a44f7c4384559fbacde18640f36330aceae081e1c7951382d7233ade98b8f745eebb0c90018733565407407f68fc2e68c27d89663bff3151fc21
SSDEEP

24576:3u5X7PRJuaBhlekEfYW8MO3TYW8MO3wYW8MO387acwwjuXYA+mMkab8coTHK:QpJNBbeKJ0JRJ8IwKXYFzV

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	unregmp2.exe
Token: SeCreatePagefilePrivilege	2712	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3716	2456	wmplayer.exe	82
PID 2456 wrote to memory of 3716	2456	wmplayer.exe	82
PID 2456 wrote to memory of 3716	2456	wmplayer.exe	82
PID 2456 wrote to memory of 3468	2456	wmplayer.exe	83
PID 2456 wrote to memory of 3468	2456	wmplayer.exe	83
PID 2456 wrote to memory of 3468	2456	wmplayer.exe	83
PID 3468 wrote to memory of 2712	3468	unregmp2.exe	84
PID 3468 wrote to memory of 2712	3468	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\YouTube - Google Chrome 2023-12-09 10-16-34 (1).mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\YouTube - Google Chrome 2023-12-09 10-16-34 (1).mp4"
  2⤵
  PID:3716
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
6d37c77b1258c734cee5222fe9f54588

SHA1
1787bf68ba30bff360f599648e3fa703b05ab9cf

SHA256
0bff85979e3b8299ee9f3f89d964e5b16d7c0ab3945ba6396b07295a33cc026d

SHA512
04c5338a8f686aee2d43557258dccab9b57e0086c0ff834e8ba693b81b6058467e6c35206000de6ed847fc51fd2e3a2ddbc1b52586f006d0eb429fed097006fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
714cd5c829628d284654e983470a6720

SHA1
3a282af726753b68d729fc37ae58e9564788685e

SHA256
05448975786c8ac4559eb584a631a6757e71086160998b539d0375c4b48ddb42

SHA512
48b5dbaa8f5abaf84b44048cf4f718de8984a531eaee6f47bda745ad580825dd45dd28ca07f439720c272c6e7e2d4d0c6cefb41e048874387a477d121cca9634

Download Submit