a54e7937a7d8601f0cd2315e38837b7195bdd1b29d35e616a50b4568161a7906

Analysis

max time kernel
116s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R0.dll
Size

325KB
MD5

38a6652e7a8118942b44ffc0687d31eb
SHA1

91024291704982d9ba02a62528910d9edb5f147a
SHA256

9d902c723813dedea3b6f20e1537069cb3b4c93da111de8613f567128b186db7
SHA512

63e72b7c6ee2d30ff64dc6d7b4792429de5da91f316661454f90c0bafd7ac80ff2acb50c47f3ed2dd188f23f0154bd730f986bf9c3750b117fb89d1bfbd8eb59
SSDEEP

6144:fgqInfyzelVccLURaRRULJ2uyC/mCectRlJ:YqIn6OLSarFuz/FRP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2704	unregmp2.exe
Token: SeCreatePagefilePrivilege	2704	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 2320	612	wmplayer.exe	96
PID 612 wrote to memory of 2320	612	wmplayer.exe	96
PID 612 wrote to memory of 2320	612	wmplayer.exe	96
PID 612 wrote to memory of 392	612	wmplayer.exe	97
PID 612 wrote to memory of 392	612	wmplayer.exe	97
PID 612 wrote to memory of 392	612	wmplayer.exe	97
PID 392 wrote to memory of 2704	392	unregmp2.exe	98
PID 392 wrote to memory of 2704	392	unregmp2.exe	98

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
1⤵
PID:4008

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:612
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:2320
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
dbfc662304aa4236ac6c685fdd3ee597

SHA1
bee96b9256c93a35398a8c6a341da9470c6101c2

SHA256
dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

SHA512
6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
b5fd0492bb43bafcfd19978a2e31c12f

SHA1
8ae45a0dda7c13333b1eacb08aa2dd9e46bdb7ff

SHA256
2f0fef73b56c40af2c1ac049b959dd978a28bec9b9b7aaa465f6d5b5e1e53772

SHA512
5f0cec861d64da023e12bc572ba76bafaaa5014558e6519d50dbea9b21cecd618b6147bca93ca34e529c00682524985ac7c0f0e7ff4beb3cb935881656b72fbd

Download Submit