Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    52s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    14/06/2024, 12:55

General

  • Target

    Lorena2.mp4

  • Size

    9.9MB

  • MD5

    214f1885246c20f3cb4d7b24b0598957

  • SHA1

    964e0de4cb74efd20bf6b65b7eff632debb8cf5d

  • SHA256

    c5cfa9fbb37485f0e29941eeccf61631e35993193fec6e6e575e2b0320c5308b

  • SHA512

    485b691bd48bd4f782376219bae0cc94040abae2e71e7fcce2d262b0167dd5c547d1ae4a3351fe34c0f0151c9a88df10699d2d1d5f373c6a67ce09db09e11884

  • SSDEEP

    196608:/V1VPox8X6ydU7bWEdTtRw6vEPwbVopojgBISEdWGJz8leeaUAhbcjjnSob62Hzt:/TVPo1ydU3WitC6sYh3jgihWIkebUuAL

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lorena2.mp4"
      2⤵
        PID:1632
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

      Filesize

      256KB

      MD5

      622a236c2be442884b47bc82f954a3eb

      SHA1

      eeba94da06d767658e88a7f44bbe2a80e5460fe8

      SHA256

      0d9940de8aee24abfe52c42eeb68ecd5d5d1ed6903b027ac4735a94b2b8744cc

      SHA512

      c0d4fb8bc74b0b203628ffe2dd9e95dfaae17aa96b98d34c438d73e57da57d719ac4d062e7cbf5fa11102453475065ff36c996b4f8d1883ae4e76d602c422ae8

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

      Filesize

      1KB

      MD5

      eea5c7d84e29b698bf4c7839fe4aeebf

      SHA1

      8b01fa57afb36379c01f5f2746c3db8ed429386a

      SHA256

      285f8afff95165de4323c80a9711bf70e653173117d0888790f9c585d7c4496c

      SHA512

      094c577e84de4774a58733640157bacddc8bea5764b0a38ee122a5423a652a1ebe593b626c7f38b54309a213c263cae3aff173b216501c946081e8a743d2e841