Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-09-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
octo hates niggers.wav
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
octo hates niggers.wav
Resource
win10-20240404-en
General
-
Target
octo hates niggers.wav
-
Size
1.1MB
-
MD5
e06c2af9bd3623d93dad4c19fa90b88a
-
SHA1
aae457d958f50416e1a1e6f2195e1c162e47abcf
-
SHA256
7a3b253a53b43df9024c580b8797df22ac022cebddb9305ff77f2c0884dd6ddf
-
SHA512
b5d73101ff3adabbe563dbf8c007f1279fc151c564d8563e5cb6a3a36eb354a177978225576d7bc1ebd428e8d80f9a73880ca221058babcb409a669da32ff30f
-
SSDEEP
1536:53PiVM28r4hL0/yJPGw9mtJdNRvDuKjmK0yjWJOcaY:5aVM8hLgucNRruKCpiMODY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_wm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 524 unregmp2.exe Token: SeCreatePagefilePrivilege 524 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4412 wrote to memory of 3828 4412 wmplayer.exe 73 PID 4412 wrote to memory of 3828 4412 wmplayer.exe 73 PID 4412 wrote to memory of 3828 4412 wmplayer.exe 73 PID 4412 wrote to memory of 2880 4412 wmplayer.exe 74 PID 4412 wrote to memory of 2880 4412 wmplayer.exe 74 PID 4412 wrote to memory of 2880 4412 wmplayer.exe 74 PID 2880 wrote to memory of 524 2880 unregmp2.exe 75 PID 2880 wrote to memory of 524 2880 unregmp2.exe 75
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\octo hates niggers.wav"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\octo hates niggers.wav"2⤵
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD50e807656bd86f2aef7ccf207f963973b
SHA127052af8d103d134369e356b793eb88ba873df55
SHA256c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
1KB
MD500ab9ee42115f151e944d1a745dbf4e5
SHA17b699dbea17cf24adebd95663566eefc1a3fc6c4
SHA25693fd990e3e99cb5bf66b0615ac9dd0743e4f746c63978c019618eb7af7daea39
SHA5127a597464fd7a342de9ec4a74111513d59851e658daffecd6d78099a7ab56cd03e3c8b1ccc7dc3e4dfeb79969cc1eb17fc6292123d7e43eaf1774841bf256e55f