0ae587f12695ccafab2f0328dffa444e6208ecad24e8840a5928911e5414ab36

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Walecz Ghost 0.50/Glorious Model O.wav
Size

13KB
MD5

bb5290981947263e1d7c1739383f90f2
SHA1

8d5bad78378c85136fda606dcd24dc188d91811a
SHA256

8073c19d8c2e2e1b3c63eb5073184af2008cabd909db5e0070086901025b66c1
SHA512

6ba8091fbe8d0661b00b6864f61299b3a7b360b98563dd2c1d051f0e718a4bebd52b86f1a022375506842695040b5e6d5af65807d59fc8e4fc1f397872f13188
SSDEEP

384:xAprjnRUCKawhWkmJqZ3aXgpgNxQ5pgyETmVA0qk:6YfT8kmJqpRpgNxrTVJk

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3596	unregmp2.exe
Token: SeCreatePagefilePrivilege	3596	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2308	4568	wmplayer.exe	82
PID 4568 wrote to memory of 2308	4568	wmplayer.exe	82
PID 4568 wrote to memory of 2308	4568	wmplayer.exe	82
PID 4568 wrote to memory of 1320	4568	wmplayer.exe	84
PID 4568 wrote to memory of 1320	4568	wmplayer.exe	84
PID 4568 wrote to memory of 1320	4568	wmplayer.exe	84
PID 1320 wrote to memory of 3596	1320	unregmp2.exe	85
PID 1320 wrote to memory of 3596	1320	unregmp2.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Walecz Ghost 0.50\Glorious Model O.wav"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Walecz Ghost 0.50\Glorious Model O.wav"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
8de82f5c8343ebf7f3c996b195f346ac

SHA1
9f7ba7b3eb98e1e5cec0e4a8c301502c85b6a43a

SHA256
58a7214dce950428a0b67935753b994271e5c560e365307f4f96a0144363bc33

SHA512
03a2d93e46794295a6f940e690b72ec2ca411dc7adf5146de126d976b6f502297081334bf57b6e750b5593b8389a133b8f186a1e7d5ab98523929f64729480d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
67efe561e970fa3696c8c62d75f55318

SHA1
6b72530f4568d2b6c3512c6b0b4976f43c0cef57

SHA256
5fbb95e87ca900ef83d41112772eb456f97142640761b7f7e640849f718fd0b4

SHA512
63f6e50dfb233b77b7924164cbf836b1a6097c304d230bbf6ba424ca6eeb1e1c41fef96bfda452921d1c759bb90c32dbb894751f32f77f6d167524518c600c50

Download Submit