Overview

overview

8

Static

static

1

simpsons_v...ig.mp4

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    simpsons_vs_peppa_pig.mp4

  • Size

    7.5MB

  • MD5

    5b3c225f08fa2312366721bfd6540f7d

  • SHA1

    9d62e54cb89b3989365f7998bd0d0f08a2c4bb14

  • SHA256

    21f947d701535a7648843c3db3c95a2f774bd0ce06ab8ccbfaa0c0a6b08706fd

  • SHA512

    fae8906e1c1f160e70ac15bdf07e1a7a28da5f2022e358350f34b8c5c8a5c28ccb8bf05b9190596cb16bb9f74dec2947c602261e22af6e405c4a11e4a94fc6aa

  • SSDEEP

    196608:/Y/i34KdKofmxnzM4IyVSRdoLwLeVIomVacy6xhHS6g+Jg:QK34KdNfmxnI4IcSRdocLRzy6rS6gSg

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\simpsons_vs_peppa_pig.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\simpsons_vs_peppa_pig.mp4"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Modifies Installed Components in the registry
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:3124
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\simpsons_vs_peppa_pig.mp4"
        3⤵
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:876
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4136
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3c0 0x3c4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    64KB

    MD5

    dbfc662304aa4236ac6c685fdd3ee597

    SHA1

    bee96b9256c93a35398a8c6a341da9470c6101c2

    SHA256

    dfd76fd8ae4d04c006729be160e7c23fe8e003e7094a54abf3a5aaee1a5c5590

    SHA512

    6730c50e8217e93d819b24a76af50ed9afeb34c73f32bcf65cca1bac139219c4897f7a43faa7a88909b32777420f47beb2a1ab23fad5886ef4da35226305c42b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    192eb6220ba0042b2ce86bfa33af040a

    SHA1

    84b4e70b9b46e33f1d505b32c23cb81648667296

    SHA256

    4b44c639315bfa73f58ca13b055765ffbcb092f2914175d3f66ba150f92142a2

    SHA512

    ba2fc31ce3591e342c4d92918d8e73023b928771ecca1d794dcc17806aaf457f7617f9f645109cc9c1b340a938a332c83400ecb94d955d38ce81870ea30139d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    5559934de76f933886fc57d12bab910c

    SHA1

    fc02ef30331de30916ea2b514c8d80bcc313379d

    SHA256

    cc34733d0a142b7de2a5f35ae052dfd386df675127b342cfcdc753a0c0eaf81b

    SHA512

    c3a6ee70c8df3548cd61d83c5900de7516651a39f92fb0278868fb63be75f4645de66b39c1b933ea33a208e151fa1df828d379d85b4a258e01fad4c80be7d75b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    2KB

    MD5

    522a50d4787e5c7947e927f899bff03a

    SHA1

    75e06345792af97ce9cc8cce6cfd6b967694b7be

    SHA256

    161757df80a13f5b179aeccc804672bdfbac41dcffb0211a7b2d0de344a21448

    SHA512

    75776a99c24484d7423bb9bc6443389804faad10615e9c407e44126b88f23c8302ace82ae899ce3e6c825c9cd0a3d5e9fd0ae389c584e2bf5a40a3064358ee65

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
    Filesize

    3KB

    MD5

    5cb2f44e34b94373cf62384e223e859a

    SHA1

    d681516330945abab754cfc0e2bb80f8279d9bf5

    SHA256

    7212ec9a980759c91a7be5b5c46078b47c22f9c802335dc27e10573b018e9340

    SHA512

    40811608bc206ab5821af62b7d984edbdd030659b779b4847975bcb552c0af01dcb94aa18232f2c98168aa43b7d191abdbccd70c489c8f4df3b6830923d974f5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
    Filesize

    1KB

    MD5

    9068c7c9175047d12a13c04775595b37

    SHA1

    dd9f85b326487ed1dbe8edf1576fd0eb84ec7586

    SHA256

    ae3a35b4272c8b02197ad4db9ffa32f4383258a934523cfb673fc45b3c3a9d63

    SHA512

    e63898f1c91270736aadb42e8f676297c45a5d7b6f1395e9990224a862dcf30147389ae9a0d4cf6aabc9ccd00a91f88bd57e33128b595be2334f1e7bc9cf7eca

    Download Submit
  • memory/876-182-0x0000000008730000-0x0000000008740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-181-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-183-0x0000000006370000-0x0000000006380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-184-0x0000000006370000-0x0000000006380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-185-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-186-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-187-0x0000000006370000-0x0000000006380000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-180-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-176-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-177-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/876-200-0x0000000003BE0000-0x0000000003BF0000-memory.dmp
    Filesize

    64KB

    Download