cb7fedf2da66d8f6500554177d6a79219e9334941f13295aab0ef2174eb87dfe

Analysis

max time kernel
453s
max time network
1175s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Россич дай черепаху.mp4
Size

2.1MB
MD5

70bd2305458e17881abe099f5a66de14
SHA1

ae3a4af43c50bb808fa09be350f217cd35a058a4
SHA256

cb7fedf2da66d8f6500554177d6a79219e9334941f13295aab0ef2174eb87dfe
SHA512

cce762ee41f22fb01228bd85922ca756f41218ffbae720c12ebf1b6cd4c64dee39894cfe2b9a411e6b1e0e1aebcbe053f029991a1916f9ff39d15446188140ef
SSDEEP

49152:ePM8Q1y+e6XQFojMbISMatQICE6qUnN11+9aXQHYwY:et9qMEDubUN1YUgHYr

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	unregmp2.exe
Token: SeCreatePagefilePrivilege	3216	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 224	3140	wmplayer.exe	82
PID 3140 wrote to memory of 224	3140	wmplayer.exe	82
PID 3140 wrote to memory of 224	3140	wmplayer.exe	82
PID 3140 wrote to memory of 656	3140	wmplayer.exe	83
PID 3140 wrote to memory of 656	3140	wmplayer.exe	83
PID 3140 wrote to memory of 656	3140	wmplayer.exe	83
PID 656 wrote to memory of 3216	656	unregmp2.exe	84
PID 656 wrote to memory of 3216	656	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Россич дай черепаху.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Россич дай черепаху.mp4"
  2⤵
  PID:224
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
c7ca2711d80cd052da0d98ce7e6dec6b

SHA1
b051f0425224cf70e3a10636c21bf113bd1cd301

SHA256
a0c1147d7f6adb99735dc3fa370ef6fb8e6ddd3687eb7afd677af5c71df6957f

SHA512
487b985fe8a4fb9a0cb59ffb0b485133e0b089115e36b9bc3f0cbb64babd899daf1b282a9554b45874a59a4c7d9c07db370650c28a5731bde50f52e66a0fc0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
237f08b6d2b359c4308cc113c2bef48c

SHA1
023377cb3688b80f7800bde416492cd8c4cced62

SHA256
406e7901a13e7dba16535a45630d0c4b6cd4782ea793087c9c79643711cf15ad

SHA512
c3654c821135df2b7e978b86dc15933d9c9094e4dd6efbd0cd4fdf1706092392aab17b75b43146a3c8e66d6ec4c6c5767b4d55ebb2b66999c39387b99e238a38

Download Submit