55a330a02218cdefa042111f5b958b3311e11261abaf095d2782779989652775

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-es
resource tags

arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24/06/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yebelle.mkv
Size

14.4MB
MD5

7b18e283d278bc9e4c4b0820219c129c
SHA1

aed6c2293ed9997c319076c63e6a0e119aeeb3c8
SHA256

55a330a02218cdefa042111f5b958b3311e11261abaf095d2782779989652775
SHA512

6645185fadb072990943625670360583d635e60211203f5af73f1de4e84c6b6ecb0aff4ff53f4a9e017b720b649cfa8193341b664ce002819ea18d6d644b9f78
SSDEEP

98304:/bnHD18Q3fH0bjr/7jx77rAjyR06RajL2iKbN+vbhQJAsNvlc4O:znHNH0r/nx7XAjyR06ROLoh+vkZBlnO

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4692	unregmp2.exe
Token: SeCreatePagefilePrivilege	4692	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1432	4696	wmplayer.exe	80
PID 4696 wrote to memory of 1432	4696	wmplayer.exe	80
PID 4696 wrote to memory of 1432	4696	wmplayer.exe	80
PID 4696 wrote to memory of 3636	4696	wmplayer.exe	81
PID 4696 wrote to memory of 3636	4696	wmplayer.exe	81
PID 4696 wrote to memory of 3636	4696	wmplayer.exe	81
PID 3636 wrote to memory of 4692	3636	unregmp2.exe	82
PID 3636 wrote to memory of 4692	3636	unregmp2.exe	82

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\yebelle.mkv"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\yebelle.mkv"
  2⤵
  PID:1432
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
622a236c2be442884b47bc82f954a3eb

SHA1
eeba94da06d767658e88a7f44bbe2a80e5460fe8

SHA256
0d9940de8aee24abfe52c42eeb68ecd5d5d1ed6903b027ac4735a94b2b8744cc

SHA512
c0d4fb8bc74b0b203628ffe2dd9e95dfaae17aa96b98d34c438d73e57da57d719ac4d062e7cbf5fa11102453475065ff36c996b4f8d1883ae4e76d602c422ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e6af367710acc8634c4d2e76d0c0224e

SHA1
3813871c00e63775741ae1ed5777e0d5ff17ed8f

SHA256
c80bb1049517b9dffe2a93ff346babf570e0690b336076b14bf2f72cc4e42cbd

SHA512
5e1884cc91186325d72a2f55d1fe5488210510236bbfac75ae3cc150bc797c9c3cec4f0d6d1067b4b3362ed12cad5891d3f62fed3d41f91c2573598f9dad88c1

Download Submit