Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    79s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 12:57

General

  • Target

    NightyGo/data/nitrosound.mp3

  • Size

    8KB

  • MD5

    812c7504df40d796245774dce0e6c85c

  • SHA1

    6c1c3bb3ce138b29a2681af9e6b6dbaab80e1e47

  • SHA256

    3b8d47c95911247ffcdbb44fe1111852d447cfef21ed9dd52e72577671e531f3

  • SHA512

    e8cb13c6e81c9df4052af65357574ddf8f71f6c4400b3eea95f617471375be2f91ac1706da6edf12fcce9d7ea09deda83747fef56b4ed93b6ff95920c3fa5ddc

  • SSDEEP

    192:QCsw5oFc5mypvMcYkYP9Y6fFqztAeQSXrPs7ZApBh3:5srFSpvMDr9TwtAeQWPs783

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\NightyGo\data\nitrosound.mp3"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\NightyGo\data\nitrosound.mp3"
      2⤵
        PID:4972
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

      Filesize

      512KB

      MD5

      946f3d332664c951e4220b6529c08cf4

      SHA1

      8cef2495aeb0b14c503c53fe51282e7bdfa487a1

      SHA256

      def03bbc743e3f1f8e1e7c235e05180fd3501857547d59eac77034bb17f54d16

      SHA512

      a6ed17d51b299c250d9b50385e5a0c7c35dc388062d3d448fd2d55a001928518fb18f84a38a692af85d8f4b40b5e3a767724a0060702c842ac0bf8f83f9a67bc

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

      Filesize

      1KB

      MD5

      4b6c612a43e335d0563a9db61e135246

      SHA1

      40cb8e118cd50cfb72ece203fe809f90661f5f57

      SHA256

      f9f733291c729b8a685436d5cd0b403b602ff4c23752ac7e6fbc153e7800e7e5

      SHA512

      dc6596b01cb3daad8b3f0d1d323698214c1f744227ae4507a766d348a08245602b9dfa2c51d37f79e4ebda5be93ca8c4a1dba5539e7051a0d6be73b962a86c46