2cdc5c351578a9ba3339688858ce7549ea4f1c200466eb5c1f700e21535a9e78

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11 18-45-57.mp4
Size

22.5MB
MD5

4abeafdeaaed608dc5ee34d65ac1cc75
SHA1

fee48d0b9fc7ed74e6d90dbb4f79df0c90deec8e
SHA256

2cdc5c351578a9ba3339688858ce7549ea4f1c200466eb5c1f700e21535a9e78
SHA512

45a7de4ecf315f48bcc07d1ec5bcd1e1a2e81d7f5585e84bca9b104f32aa5208c0bcc415b6d6f636ae6358baeccd450c7bcd59f092bb9b31ddbcab9770def477
SSDEEP

196608:FMbqM1ArJeqxmMj3QjXYyYXdQcMOyxQIuxjc2oeWgV8XosezYZiOQ1aDaMUW/RY2:Gx1ArVsjGucMOybuxvozXqYZXveNW/t

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4516	unregmp2.exe
Token: SeCreatePagefilePrivilege	4516	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4964	4780	wmplayer.exe	89
PID 4780 wrote to memory of 4964	4780	wmplayer.exe	89
PID 4780 wrote to memory of 4964	4780	wmplayer.exe	89
PID 4780 wrote to memory of 2692	4780	wmplayer.exe	90
PID 4780 wrote to memory of 2692	4780	wmplayer.exe	90
PID 4780 wrote to memory of 2692	4780	wmplayer.exe	90
PID 2692 wrote to memory of 4516	2692	unregmp2.exe	91
PID 2692 wrote to memory of 4516	2692	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\2024-06-11 18-45-57.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\2024-06-11 18-45-57.mp4"
  2⤵
  PID:4964
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
26e4064ee797380fa9a8cbb624bd73b2

SHA1
4ec24c0ec5b7f2481a7dafd738b199f687b7c531

SHA256
47e13bfa02bc2f2892a1599b36ca95f4172fdf75cf4d0ea58fba8ebc1633c85d

SHA512
1631279ab6c3b3409235a8c896bba292255b6b67f62d431af51301572c20484f96b2f357ffc818fa9f2d87f7f5bdb12d692ce561d9f71035e16814d8ea7d1590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
67b49cb2fd96be7ed93250aac5ba199d

SHA1
eeb7762bd6c46bebe713684e1d81a3d6e79bc464

SHA256
fae8a20accbbe5b46f3e8fa57f28c8606f335a79e4a8e25a37a58e05a2a700c3

SHA512
40f2a01ce9f6b894c1463fa7732aa112c5bcec234f72cbdfd45d856b8183791a9a440c54239533c69ef94fd1e2ea0d2cd79c40949aed27a23a0fa0ccf945f1af

Download Submit