Overview
overview
10Static
static
10MailRanger...YZ.txt
windows10-2004-x64
1MailRanger...YZ.txt
windows11-21h2-x64
3MailRanger...er.exe
windows10-2004-x64
7MailRanger...er.exe
windows11-21h2-x64
7MailRanger.pyc
windows10-2004-x64
3MailRanger.pyc
windows11-21h2-x64
3MailRanger...te.exe
windows10-2004-x64
10MailRanger...te.exe
windows11-21h2-x64
10MailRanger...r2.ini
windows10-2004-x64
1MailRanger...r2.ini
windows11-21h2-x64
3MailRanger...!!.txt
windows10-2004-x64
1MailRanger...!!.txt
windows11-21h2-x64
3MailRanger/ServerList
windows10-2004-x64
1MailRanger/ServerList
windows11-21h2-x64
1MailRanger..._1.mp4
windows10-2004-x64
6MailRanger..._1.mp4
windows11-21h2-x64
6MailRanger...es.txt
windows10-2004-x64
1MailRanger...es.txt
windows11-21h2-x64
3Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 21:06
Behavioral task
behavioral1
Sample
MailRanger/237K HQ Skull.XYZ.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
MailRanger/237K HQ Skull.XYZ.txt
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
MailRanger/MailRanger.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
MailRanger/MailRanger.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
MailRanger.pyc
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
MailRanger.pyc
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
MailRanger/MailUpdate.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
MailRanger/MailUpdate.exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
MailRanger/Mailranger2.ini
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
MailRanger/Mailranger2.ini
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
MailRanger/Przeczytaj!!!!.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
MailRanger/Przeczytaj!!!!.txt
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
MailRanger/ServerList
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
MailRanger/ServerList
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
MailRanger/how to mail_1.mp4
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
MailRanger/how to mail_1.mp4
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
MailRanger/socks4_proxies.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
MailRanger/socks4_proxies.txt
Resource
win11-20240802-en
General
-
Target
MailRanger/how to mail_1.mp4
-
Size
102.5MB
-
MD5
c3fd4ba9f6aaaa629dfd41778be61eab
-
SHA1
d9c6c995d4db387c763aaf0dda3ea41ca8904710
-
SHA256
0bda1925009f26fd58dcd3376c2da5b28753c6f1f022a8388ff928825d03ebbf
-
SHA512
308a695d6c61deed48adbe279bebbdb59f302c152b24321744de3a2202941289ddf79b0c6f379c92c71abe043132421aa65da5b876d056efd006cb0f725b3be3
-
SSDEEP
3145728:nQi1aKHLGIxyq6pEn/Fqs49QkP8vi8FsBwU:nQrNq0EcV9lPz8NU
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{436E6867-147F-4772-8834-E4FDF9C0EE7B} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 1000 wmplayer.exe Token: SeCreatePagefilePrivilege 1000 wmplayer.exe Token: SeShutdownPrivilege 4608 unregmp2.exe Token: SeCreatePagefilePrivilege 4608 unregmp2.exe Token: 33 3744 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3744 AUDIODG.EXE Token: SeShutdownPrivilege 1000 wmplayer.exe Token: SeCreatePagefilePrivilege 1000 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1000 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1000 wrote to memory of 240 1000 wmplayer.exe 77 PID 1000 wrote to memory of 240 1000 wmplayer.exe 77 PID 1000 wrote to memory of 240 1000 wmplayer.exe 77 PID 240 wrote to memory of 4608 240 unregmp2.exe 78 PID 240 wrote to memory of 4608 240 unregmp2.exe 78
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\MailRanger\how to mail_1.mp4"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4764
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD5bf6ac69ca9c916d15779da9f2b0ea326
SHA17a46965ca1224a4ecd4839ab11e2e8f4739678cd
SHA2565e1116c11f2878f660a8491066012ad5c963ea72e6e6f6cae866708d47047530
SHA512c8d8bc551d5812861b395b7cef39640f268e2a3289ed711e678f371214fa49fadc7b8e1dc78b62017397f3e1e037b8f26d54dbfb1ba422b7a7492907c32fb35a
-
Filesize
1024KB
MD564bc168d0fe7a339455ecc33d0d61778
SHA1ee6dfda590f6a4a5a4c3c4c334d3312b114bff24
SHA2560d1df85a34ed7702ed2a7f2c232951e8b52a663cd2a46f73f91a24b7d4707542
SHA512692d8655b806e475ffd51a9327faf209123006e011545337cdf5d78379c86899b072b60feb13bab600a3acfc0559fecd7fc0740114e0807d2e9049a6533ce2d3
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
1KB
MD5aa5cd3da3b1438a399f84a6961c8448b
SHA13d50fc30d41e28c6ad77bf82685113f5046d6530
SHA2560b38af3151b519ac95fbac723d136363ddf004ec88b39259785c0287a7f8dab6
SHA5125c79b065f2cf98daea622a2621b56add7903c7077161dd3982a779ef6ca34417e922a01da63df073f1cea8efe894b97a0bef71eaaf8b0b35b4243412cf086a2f