8713e64a59746d70f5f8b36599d66dfa73d891b19d8a4211c610709ad167de0b

Analysis

max time kernel
213s
max time network
217s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/07/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChompZap.mp4
Size

98KB
MD5

8c217b674a8b8e9e9748ec27557c83b5
SHA1

1da84c39e92709173591c78272a48f26a517d757
SHA256

8713e64a59746d70f5f8b36599d66dfa73d891b19d8a4211c610709ad167de0b
SHA512

d9ad244a2289e1802f500b371842981b49ffed7873db5b0af2f534bc9c3b2b160dafb69b7de83698c401580dccf6f1d9d01ecaa42467c0fb8cfafa63552f54ec
SSDEEP

1536:PGlMqbTa3pU5xEoKhu1ad/XeafzA+Z8g9TufVdGmDtONy6wBOxLYe:4buOMoKoKXvb8g9TkVfsIBG

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	unregmp2.exe
Token: SeCreatePagefilePrivilege	2712	unregmp2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 4476	596	wmplayer.exe	74
PID 596 wrote to memory of 4476	596	wmplayer.exe	74
PID 596 wrote to memory of 4476	596	wmplayer.exe	74
PID 596 wrote to memory of 4104	596	wmplayer.exe	75
PID 596 wrote to memory of 4104	596	wmplayer.exe	75
PID 596 wrote to memory of 4104	596	wmplayer.exe	75
PID 4104 wrote to memory of 2712	4104	unregmp2.exe	76
PID 4104 wrote to memory of 2712	4104	unregmp2.exe	76

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ChompZap.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:596
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ChompZap.mp4"
  2⤵
  PID:4476
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
0e807656bd86f2aef7ccf207f963973b

SHA1
27052af8d103d134369e356b793eb88ba873df55

SHA256
c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162

SHA512
e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
6f2285ff135e33937f4e7fc60bfef8e6

SHA1
c5185487204e5693328d98c6f8d8c58f0fb28355

SHA256
ce15e8717bb837347fae8fc34c53332972689d4b6b21b260b90ef82b29198903

SHA512
df72284f4bcee4de3b28aa0324ccda303b0216d4210e43df6fff96f80213a52824532f2b9141d336dcf18ea89c7a158cc97d16d217a7880cb7eabf4ed47d3de4

Download Submit