Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

drake spea...co.mp4

windows7-x64

1

drake spea...co.mp4

windows10-2004-x64

8

Analysis

  • max time kernel
    5s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2023, 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    drake speaks cayo perico.mp4

  • Size

    1.4MB

  • MD5

    af8e86342ee55b945ec4182f7e6f325f

  • SHA1

    b47b32baac56cd827d4d7b85e33c0229873c256d

  • SHA256

    a8c4d85e2fe586b100b12f351824299dd2925d1af3f18ecf7c4f7e7ed3f9ce4e

  • SHA512

    eca2265d36429228cba13a70069fe965f5c9496c7678a5e44ac6fedc9567b2fd0f6482fbddd2606b1474e0324e844044081b6a56a875fe644a213e140969e9ee

  • SSDEEP

    24576:RsSxf+QBCQtVFrhwhczVuQo+/iKVrpxHEuL3rsFL/16lKLP3MoLiLeRaU847PD:+Qfh8QtVJXtp/nA0y16lOPciEa7PD

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\drake speaks cayo perico.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\drake speaks cayo perico.mp4"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Modifies Installed Components in the registry
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:1716
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\drake speaks cayo perico.mp4"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:2884
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b4 0x320
    1⤵
      PID:4796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      256KB

      MD5

      9c481a94abc7eee23cd5234262e60077

      SHA1

      2873225e708fb5461ac60c3613fe12112423f0f0

      SHA256

      681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061

      SHA512

      0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      1024KB

      MD5

      7ae14c65d6895fd11230731535d55b3d

      SHA1

      a9dcc8f14ac99d618fb117ec8d4376923a373898

      SHA256

      0e44afb514b2abe3b0a0f1f6da8ade385c6b123248b66e8b6f144c359485f13d

      SHA512

      a6264224e0605e4f185724412b87fabdb57bb6b514e84dad6722454bb712167374020d3fd78f9a9594f03d64c5bd9455c38c5bf6ce4477f4a9e0c59851bfa57f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
      Filesize

      68KB

      MD5

      a627208293e1e46c808286e77678f69e

      SHA1

      9a4cecfe10719abf558d4742c36e33d53361c34b

      SHA256

      683bac3988d52ee07b3c7914a9c3d45a4781a7c293805670c317d6bef034318a

      SHA512

      58b8e63ecbecdda0c39214f27090fcd27085ba1590f5626fd99a1c881ac7ab4250ff14a0414163bde47c4fd9ee0233ab076d9092e6f267ddc09f29c6c52de267

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      1KB

      MD5

      59e0dea0457ba2e97c5aa0261aa41875

      SHA1

      36cb761e809a0de782c31886461d5efd6732782c

      SHA256

      77289ac8366059fe55b6a164d1fcb6bd7812ada350924b9ad3739e4202bbd5bf

      SHA512

      43ed44d56b35e125d17d36fdc3dc53aecf5cf01dd8030d2c2bae8d625386c77ac8a11a4d5ec56724a23c91e729931935c430d487819b2e9a4e2001846095edad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      2KB

      MD5

      39eadd93fabb6ade7c19b2a43eac9074

      SHA1

      8a8978415474320a1665a593dbaca27c0135ec55

      SHA256

      0f4854d1ea5f0af99e479b86085a47a3c3b000fc448f00903b226e878874561c

      SHA512

      2bd9ab03d67df40958add45780da372b272e5df76ef85a8c6e9e6372e39606b7c5faccc7badd1da9462ac47d61d48fdd6d31d4af3af95349c1d9b344c75043f4

      Download Submit

    • memory/1888-56-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-58-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-52-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-53-0x0000000008110000-0x0000000008120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-54-0x0000000008110000-0x0000000008120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-55-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-51-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-57-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-59-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-49-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-62-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-61-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-63-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-64-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-45-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-66-0x00000000081A0000-0x00000000081B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-43-0x0000000003530000-0x0000000003540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-69-0x0000000008E30000-0x0000000008E40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1888-70-0x0000000008E30000-0x0000000008E40000-memory.dmp

      Filesize

      64KB

      Download