Resubmissions
12/10/2024, 10:25
241012-mf821swbjf 1012/10/2024, 10:24
241012-mfpy5szgjr 1012/10/2024, 10:23
241012-me1n9azfrj 1012/10/2024, 10:21
241012-mdxafawajc 1012/10/2024, 10:18
241012-mcd3gavhmb 10Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/10/2024, 10:18
Behavioral task
behavioral1
Sample
666 Executor.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
main.pyc
Resource
win11-20241007-en
General
-
Target
main.pyc
-
Size
7KB
-
MD5
9809e60cbdca68d072a80251b3a93c6c
-
SHA1
3c79f419fab6e1ae20f1635bcbae8df6221ede47
-
SHA256
01d442089838b2d3d581899e8e0929a476f5e656142e8fb3ea4c3c9da8c6ffff
-
SHA512
b6de1323ae2f83cba24f96ebb8bd5a13a9da21087ca24e8b58b1c006bac7cd9e2f9663ce5441e8a2b3e10ad7e9a1c538d37dcc1e426790ddd3720b0b3daa8792
-
SSDEEP
192:wo9+uqD8sTqKWdXwK3LD3IbzmJhwb05cFMdwTcTNTL2nw:b+udKWuKUzK2b05cFPTqliw
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6084 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 5956 unregmp2.exe Token: SeCreatePagefilePrivilege 5956 unregmp2.exe Token: SeShutdownPrivilege 5644 wmplayer.exe Token: SeCreatePagefilePrivilege 5644 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5644 wmplayer.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe 6084 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 6084 wrote to memory of 5644 6084 OpenWith.exe 79 PID 6084 wrote to memory of 5644 6084 OpenWith.exe 79 PID 6084 wrote to memory of 5644 6084 OpenWith.exe 79 PID 5644 wrote to memory of 5800 5644 wmplayer.exe 82 PID 5644 wrote to memory of 5800 5644 wmplayer.exe 82 PID 5644 wrote to memory of 5800 5644 wmplayer.exe 82 PID 5800 wrote to memory of 5956 5800 unregmp2.exe 83 PID 5800 wrote to memory of 5956 5800 unregmp2.exe 83
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Modifies registry class
PID:752
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\main.pyc"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5956
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD562394a137b3beedeb892ed80924de40c
SHA1fdb8c9cd6bbe15fe618b68e016fa14a59625b767
SHA25625cce33207ccb0728526e27e43d9a0b2c761f40028fa47e6e77cbf8098747f2f
SHA512380d75c568c54952468fcbc7dbbb698300174cbe9680ee8818c1534c8fec991ecbe0dcfccac678def9e7284bcb599eb455cda69bfb4caff087093ed19d8722eb
-
Filesize
1024KB
MD548b426758a49202457948b0902829913
SHA137c0582aed5b5cd874dc15e844b51bc95772934c
SHA25634aa1554e3f1d3d3930da25baf9085bcb144252b9c66a2b8955a6d54ff7989f9
SHA512e5f46122295255d315242461e97b4f334502f150e242d1934603ea8f65e888b5507f12bfebdfac76d199661554d58d07f87be4600f7365c8317dc9b47962a866
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD517af36a6e1e8aa5b05cee4448dee96a4
SHA12107428e74f56ba255289a6a7327c9a182c66137
SHA256564ca6c48e53d6348d8535dab655fad03b8a79bd63f78242a1eff736aaaeb357
SHA5128e4646645e86d5f49af73b4da9d867887e30118fbf4fb0215e90bbe1b82a988cfdda2139c4146e9943929870480fa7d163be08ad9a04cbe548f07fde297ee755