2687c43908a9c1078a356a7afdbbe43febfa1658df002175e273093bf0fac8b7

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/06/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

banana-l-6.wav
Size

27KB
MD5

8e0047376e4e8ced539147959f55516b
SHA1

cfb52317de2ed7028018ae7d0f5902b130ab2bb3
SHA256

ab866428e11bc7ca67f70512d8f48a5c11a2a5975fae22849e77b536eca65228
SHA512

6bd34801557aaa7fa0fbe4bad4c26240df8067b35660bbc7ee8c9d0d185ff551dfee75a2dbe25ecd027781afe3875d2166def524772c0a47201e34e2976fdf65
SSDEEP

768:Qv62QkK3OybnAXpvSSPFgKmgHOrhHEJaZLBSSqrtbDD:Q0kK+ybMpvlPpnKEJGVOrtvD

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3992	unregmp2.exe
Token: SeCreatePagefilePrivilege	3992	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2616	2660	wmplayer.exe	77
PID 2660 wrote to memory of 2616	2660	wmplayer.exe	77
PID 2660 wrote to memory of 2616	2660	wmplayer.exe	77
PID 2660 wrote to memory of 1660	2660	wmplayer.exe	78
PID 2660 wrote to memory of 1660	2660	wmplayer.exe	78
PID 2660 wrote to memory of 1660	2660	wmplayer.exe	78
PID 1660 wrote to memory of 3992	1660	unregmp2.exe	79
PID 1660 wrote to memory of 3992	1660	unregmp2.exe	79

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\banana-l-6.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\banana-l-6.wav"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
1553f4412f0373d5333a9f12e49e863c

SHA1
c117ef6e8cd55a9bdf974a228bde97aadb440cad

SHA256
ffdb9c3d8773e354d5a048e7b48ab4bf684deef7d72482a1762c437ed23d0c8a

SHA512
ca76ad53c021753f43c166d147f03b873166c63e494f55e20da0077e96fc8dcb48a4012e94b14ae12cce86dfde5901e53ee233ff72b4d68ae7005d0744103ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
5b1a5f7344e3dd9dd6b2cdc7625b2019

SHA1
893d926ce28fbec413361a53734c03575c6ed0f2

SHA256
244d2a6f683a029dd7223ca1b2f2bf56cc140dd4249b072e1b75ae3f64f02565

SHA512
86a4114161232bedd500994c59223c517fa4c7d6bbaf68d50dae4ea772e22dc39051adf892c7b620e02dbd6ecf2458ea261dcbcebc94a329f4e027ac9c11ee37

Download Submit