c5cfa9fbb37485f0e29941eeccf61631e35993193fec6e6e575e2b0320c5308b

Analysis

max time kernel
52s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-es
resource tags

arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
14/06/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lorena2.mp4
Size

9.9MB
MD5

214f1885246c20f3cb4d7b24b0598957
SHA1

964e0de4cb74efd20bf6b65b7eff632debb8cf5d
SHA256

c5cfa9fbb37485f0e29941eeccf61631e35993193fec6e6e575e2b0320c5308b
SHA512

485b691bd48bd4f782376219bae0cc94040abae2e71e7fcce2d262b0167dd5c547d1ae4a3351fe34c0f0151c9a88df10699d2d1d5f373c6a67ce09db09e11884
SSDEEP

196608:/V1VPox8X6ydU7bWEdTtRw6vEPwbVopojgBISEdWGJz8leeaUAhbcjjnSob62Hzt:/TVPo1ydU3WitC6sYh3jgihWIkebUuAL

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	792	unregmp2.exe
Token: SeCreatePagefilePrivilege	792	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1632	1216	wmplayer.exe	82
PID 1216 wrote to memory of 1632	1216	wmplayer.exe	82
PID 1216 wrote to memory of 1632	1216	wmplayer.exe	82
PID 1216 wrote to memory of 1496	1216	wmplayer.exe	83
PID 1216 wrote to memory of 1496	1216	wmplayer.exe	83
PID 1216 wrote to memory of 1496	1216	wmplayer.exe	83
PID 1496 wrote to memory of 792	1496	unregmp2.exe	84
PID 1496 wrote to memory of 792	1496	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
622a236c2be442884b47bc82f954a3eb

SHA1
eeba94da06d767658e88a7f44bbe2a80e5460fe8

SHA256
0d9940de8aee24abfe52c42eeb68ecd5d5d1ed6903b027ac4735a94b2b8744cc

SHA512
c0d4fb8bc74b0b203628ffe2dd9e95dfaae17aa96b98d34c438d73e57da57d719ac4d062e7cbf5fa11102453475065ff36c996b4f8d1883ae4e76d602c422ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
eea5c7d84e29b698bf4c7839fe4aeebf

SHA1
8b01fa57afb36379c01f5f2746c3db8ed429386a

SHA256
285f8afff95165de4323c80a9711bf70e653173117d0888790f9c585d7c4496c

SHA512
094c577e84de4774a58733640157bacddc8bea5764b0a38ee122a5423a652a1ebe593b626c7f38b54309a213c263cae3aff173b216501c946081e8a743d2e841

Download Submit