Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-es -
resource tags
arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
14/06/2024, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Lorena2.mp4
Resource
win7-20240611-es
Behavioral task
behavioral2
Sample
Lorena2.mp4
Resource
win10v2004-20240508-es
General
-
Target
Lorena2.mp4
-
Size
9.9MB
-
MD5
214f1885246c20f3cb4d7b24b0598957
-
SHA1
964e0de4cb74efd20bf6b65b7eff632debb8cf5d
-
SHA256
c5cfa9fbb37485f0e29941eeccf61631e35993193fec6e6e575e2b0320c5308b
-
SHA512
485b691bd48bd4f782376219bae0cc94040abae2e71e7fcce2d262b0167dd5c547d1ae4a3351fe34c0f0151c9a88df10699d2d1d5f373c6a67ce09db09e11884
-
SSDEEP
196608:/V1VPox8X6ydU7bWEdTtRw6vEPwbVopojgBISEdWGJz8leeaUAhbcjjnSob62Hzt:/TVPo1ydU3WitC6sYh3jgihWIkebUuAL
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 792 unregmp2.exe Token: SeCreatePagefilePrivilege 792 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1216 wrote to memory of 1632 1216 wmplayer.exe 82 PID 1216 wrote to memory of 1632 1216 wmplayer.exe 82 PID 1216 wrote to memory of 1632 1216 wmplayer.exe 82 PID 1216 wrote to memory of 1496 1216 wmplayer.exe 83 PID 1216 wrote to memory of 1496 1216 wmplayer.exe 83 PID 1216 wrote to memory of 1496 1216 wmplayer.exe 83 PID 1496 wrote to memory of 792 1496 unregmp2.exe 84 PID 1496 wrote to memory of 792 1496 unregmp2.exe 84
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"2⤵PID:1632
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5622a236c2be442884b47bc82f954a3eb
SHA1eeba94da06d767658e88a7f44bbe2a80e5460fe8
SHA2560d9940de8aee24abfe52c42eeb68ecd5d5d1ed6903b027ac4735a94b2b8744cc
SHA512c0d4fb8bc74b0b203628ffe2dd9e95dfaae17aa96b98d34c438d73e57da57d719ac4d062e7cbf5fa11102453475065ff36c996b4f8d1883ae4e76d602c422ae8
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5eea5c7d84e29b698bf4c7839fe4aeebf
SHA18b01fa57afb36379c01f5f2746c3db8ed429386a
SHA256285f8afff95165de4323c80a9711bf70e653173117d0888790f9c585d7c4496c
SHA512094c577e84de4774a58733640157bacddc8bea5764b0a38ee122a5423a652a1ebe593b626c7f38b54309a213c263cae3aff173b216501c946081e8a743d2e841