1df2791a20be400946e1c40ba5edb2d860a29b7d4ec37a50c8453bed7645f9a2

Analysis

max time kernel
85s
max time network
91s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27-05-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mechatronics competition @ the 18th YouthSkills in Shizuoka 2023 .mp4
Size

21.3MB
MD5

d4b871404c85b932abea661fa734fa6d
SHA1

87a95cacfa84567ff040f212fbc0781f8414b035
SHA256

64421a56407e3b4fa38f8dc140a5cc9721f8a376bcda361702eabdeec3751d61
SHA512

87ad22df17c97acc2f026b1d035154a2512df63c22c30c266bb1436c80e54f2e6e70b1d955296f42c07a609f04e6c6dd98bfde967a8e377ed2c405718e933948
SSDEEP

393216:XlCzcm9xbvllFH0bfmPd6VCtweKtNvIgV60M5N+m/muuIkze32P4BlvXU1zljH5o:X89Ddxl9wbDG0tulkzU2cMf1wZ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	unregmp2.exe
Token: SeCreatePagefilePrivilege	2964	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2760	3144	wmplayer.exe	76
PID 3144 wrote to memory of 2760	3144	wmplayer.exe	76
PID 3144 wrote to memory of 2760	3144	wmplayer.exe	76
PID 3144 wrote to memory of 2304	3144	wmplayer.exe	77
PID 3144 wrote to memory of 2304	3144	wmplayer.exe	77
PID 3144 wrote to memory of 2304	3144	wmplayer.exe	77
PID 2304 wrote to memory of 2964	2304	unregmp2.exe	78
PID 2304 wrote to memory of 2964	2304	unregmp2.exe	78

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Mechatronics competition @ the 18th YouthSkills in Shizuoka 2023 .mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Mechatronics competition @ the 18th YouthSkills in Shizuoka 2023 .mp4"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
1553f4412f0373d5333a9f12e49e863c

SHA1
c117ef6e8cd55a9bdf974a228bde97aadb440cad

SHA256
ffdb9c3d8773e354d5a048e7b48ab4bf684deef7d72482a1762c437ed23d0c8a

SHA512
ca76ad53c021753f43c166d147f03b873166c63e494f55e20da0077e96fc8dcb48a4012e94b14ae12cce86dfde5901e53ee233ff72b4d68ae7005d0744103ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e60e9b498fd693a14fcab89f5056e8ab

SHA1
e2ff1d5912fa2f74274c1c066ae15ad7bf7a701b

SHA256
ba3f8015a5615998a2abd145d5da438a41ec4e926310c38c6249c4f182f6cb5c

SHA512
b84b49641a2c3b3db64a7f492470756ccbb1728259cc1e2ded300906cde84b297d674128d3e13d3d3ccddaf5ac05157b2ee0baa8935cd29d523bb961d66df9ae

Download Submit