Overview
overview
10Static
static
10MailRanger...YZ.txt
windows10-2004-x64
1MailRanger...YZ.txt
windows11-21h2-x64
3MailRanger...er.exe
windows10-2004-x64
7MailRanger...er.exe
windows11-21h2-x64
7MailRanger.pyc
windows10-2004-x64
3MailRanger.pyc
windows11-21h2-x64
3MailRanger...te.exe
windows10-2004-x64
10MailRanger...te.exe
windows11-21h2-x64
10MailRanger...r2.ini
windows10-2004-x64
1MailRanger...r2.ini
windows11-21h2-x64
3MailRanger...!!.txt
windows10-2004-x64
1MailRanger...!!.txt
windows11-21h2-x64
3MailRanger/ServerList
windows10-2004-x64
1MailRanger/ServerList
windows11-21h2-x64
1MailRanger..._1.mp4
windows10-2004-x64
6MailRanger..._1.mp4
windows11-21h2-x64
6MailRanger...es.txt
windows10-2004-x64
1MailRanger...es.txt
windows11-21h2-x64
3Analysis
-
max time kernel
146s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 21:06
Behavioral task
behavioral1
Sample
MailRanger/237K HQ Skull.XYZ.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
MailRanger/237K HQ Skull.XYZ.txt
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
MailRanger/MailRanger.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
MailRanger/MailRanger.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
MailRanger.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
MailRanger.pyc
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
MailRanger/MailUpdate.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
MailRanger/MailUpdate.exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
MailRanger/Mailranger2.ini
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
MailRanger/Mailranger2.ini
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
MailRanger/Przeczytaj!!!!.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
MailRanger/Przeczytaj!!!!.txt
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
MailRanger/ServerList
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
MailRanger/ServerList
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
MailRanger/how to mail_1.mp4
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
MailRanger/how to mail_1.mp4
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
MailRanger/socks4_proxies.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
MailRanger/socks4_proxies.txt
Resource
win11-20240802-en
General
-
Target
MailRanger/how to mail_1.mp4
-
Size
102.5MB
-
MD5
c3fd4ba9f6aaaa629dfd41778be61eab
-
SHA1
d9c6c995d4db387c763aaf0dda3ea41ca8904710
-
SHA256
0bda1925009f26fd58dcd3376c2da5b28753c6f1f022a8388ff928825d03ebbf
-
SHA512
308a695d6c61deed48adbe279bebbdb59f302c152b24321744de3a2202941289ddf79b0c6f379c92c71abe043132421aa65da5b876d056efd006cb0f725b3be3
-
SSDEEP
3145728:nQi1aKHLGIxyq6pEn/Fqs49QkP8vi8FsBwU:nQrNq0EcV9lPz8NU
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{5DC8B31A-BD2E-40DC-AD46-41B5C534135F} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2880 unregmp2.exe Token: SeCreatePagefilePrivilege 2880 unregmp2.exe Token: SeShutdownPrivilege 728 wmplayer.exe Token: SeCreatePagefilePrivilege 728 wmplayer.exe Token: 33 2052 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2052 AUDIODG.EXE Token: SeShutdownPrivilege 728 wmplayer.exe Token: SeCreatePagefilePrivilege 728 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 728 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 728 wrote to memory of 2724 728 wmplayer.exe 85 PID 728 wrote to memory of 2724 728 wmplayer.exe 85 PID 728 wrote to memory of 2724 728 wmplayer.exe 85 PID 2724 wrote to memory of 2880 2724 unregmp2.exe 86 PID 2724 wrote to memory of 2880 2724 unregmp2.exe 86
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\MailRanger\how to mail_1.mp4"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:1156
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x4e01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5adbd8353954edbe5e0620c5bdcad4363
SHA1aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA25664eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA51287bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2
-
Filesize
1024KB
MD5d24ffa0df7a6dc30a343c85707bf274e
SHA1a98954fcf6735454eb3efe37c469feffe22eaeff
SHA256e34cb089f99f0a4a38c16cefe3a4bf4b00ae5e1688d8422b318a10674e1f42fc
SHA512752a1cd1cfe9f6f356ad201ec38db9fcc3fca2b0fc1d453660a0f79cc3b3c24e9af5be6a32b4a8a13f2e7da559ae36b042540f1f4d334073b16cc630cb0b7dac
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5e808fdd64744df8b96fca387ba94da41
SHA1fb7287b122babd81f148b8c2e3fa546c5080a67c
SHA2561778e21c09aae6431d3f22cfff24345c1bd00a94f8159a8dec333dc30dd50239
SHA512d79c07d1ee5ffd2530d5b963eb9c80ce0ab2bd0516b5a36bd04ac37311687003f1161e83cdee64ec814fe960125b89faa7f29b9ab644b4f712d85bce54c9c0d9