Overview

overview

6

Static

static

1

Gucci Mane...o].mp3

windows10-2004-x64

6

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2023, 19:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Gucci Mane, Bruno Mars, Kodak Black - Wake Up in The Sky [Official Music Video].mp3

  • Size

    3.3MB

  • MD5

    e6c2ed4793f568f7bd7d56735e00c60c

  • SHA1

    faeea5905ddc8cf732e4dde3f29966808c657179

  • SHA256

    5e2007ebe3dd0de3f1df5a6ea4e7388f40d6cbdb8c263a642b45bf76d3c7b8bb

  • SHA512

    2f5f0151e4b42cd1e6f14790e86be26033f406b3c7ba8d8a322a56cf8d8dce81f573b371287570c449c6f21bf12696965f7cbf4305f900aa9215871d2bb41324

  • SSDEEP

    98304:jDbniyUb5avYRmYdB8eeR6+O9KkeoeSWeRporKXv:jDWyeamdBH+qYetXv

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Gucci Mane, Bruno Mars, Kodak Black - Wake Up in The Sky [Official Music Video].mp3"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Gucci Mane, Bruno Mars, Kodak Black - Wake Up in The Sky [Official Music Video].mp3"
      2⤵
        PID:3856
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.0.1806986876\57627488" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4ae2f1c-6454-4946-afa6-0344d50ec332} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 1964 1efececc958 gpu
          3⤵
            PID:2204
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.1.2145187750\1250492812" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdc8a6e-eb9a-4482-9cc8-4d922bbb80d7} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2364 1efe0472e58 socket
            3⤵
            • Checks processor information in registry
            PID:3040
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.2.1502609147\77879385" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 20934 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd9c6aa8-c188-4433-80ab-28992d63716c} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3128 1eff0db2458 tab
            3⤵
              PID:4800
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.3.1495699803\971278157" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46603c6-3e55-4041-a790-ae2a123e4c00} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 3628 1efe0460d58 tab
              3⤵
                PID:3456
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.4.2068893138\248401672" -childID 3 -isForBrowser -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5296667f-d167-4c34-a8f2-9447611eb4e9} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4596 1eff285c858 tab
                3⤵
                  PID:912
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.5.2046231631\275826021" -childID 4 -isForBrowser -prefsHandle 2804 -prefMapHandle 5288 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58d2452b-9aad-4d78-8018-dea581350fb1} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 2736 1eff32e1b58 tab
                  3⤵
                    PID:5456
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.7.815867930\1922958694" -childID 6 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd55de3a-e50f-4321-9cb6-9999c9f4715b} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5560 1eff32e3658 tab
                    3⤵
                      PID:5472
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.6.1801667791\1386045400" -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8aa8bb2-40cd-465f-937c-58add854560c} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 5428 1eff32e1858 tab
                      3⤵
                        PID:5464
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4404.8.1055139590\122783824" -childID 7 -isForBrowser -prefsHandle 4724 -prefMapHandle 4740 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6199180-e7d6-46ef-998c-43e5f388dda1} 4404 "\\.\pipe\gecko-crash-server-pipe.4404" 4712 1eff2a51958 tab
                        3⤵
                          PID:5284

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                            Filesize

                            256KB

                            MD5

                            41e020ee798eceb4ac90cba2142a7a1b

                            SHA1

                            714ffdf4ddc441ae72c3fb2e4548a8219ad06fb8

                            SHA256

                            60968b6f285adc7f7347c43815c17a27a383807366f91212b81b17cac20131a8

                            SHA512

                            29d22703589df058c7f3509ce58f8e2f8fdf1fc2077e0622a796e4f9c17e563994e3cce83d74b5d58d79ae5b335a1e114c86ca7fe149bab10c3656c0acb0ae76

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                            Filesize

                            9KB

                            MD5

                            7050d5ae8acfbe560fa11073fef8185d

                            SHA1

                            5bc38e77ff06785fe0aec5a345c4ccd15752560e

                            SHA256

                            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                            SHA512

                            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wp0zrwot.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            22KB

                            MD5

                            e3d5ff2cc68829d9f65feea0de4c2368

                            SHA1

                            d368051d4be99cfefe9ddd276e671b7d581edc38

                            SHA256

                            b5e1efccc21767b101ba56224e431146b65e0cf3b19207650fea6a7ad81b4605

                            SHA512

                            0024d6e6e39773619686211cedce394107a4615e2d5848d374b1898fc9b56ad620d656a8e168addf9cb13c2c4a5350897652ccc474aa88048d9a3112cb42a963

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                            Filesize

                            1KB

                            MD5

                            e39824e3cb78c306f37e4812656add2b

                            SHA1

                            e433784916b269f1aec79aad702e90c80a8734ca

                            SHA256

                            28a0b3cfa426b7383c9e9a8a26dbcbe9236ea652ee8863a6abf8966819915ee4

                            SHA512

                            59fa2f5c68d55149be30b1d30d863c22b35744ed3341f026895418336c2ded903143162ba51b9db7c617f9c1a818d0d13284129e2e27937b794300a70e30d8a0

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            f56728992baf45659a23d53e57a98cd1

                            SHA1

                            07b3f73a5ce1bb7de5048f45a99e5b47a1612d18

                            SHA256

                            0205c5dc6b4654ff76b00f34de69ea7a553d6d768c28fd3ebd884865535f1459

                            SHA512

                            aaf465cf585e7eca4ec2e51d30ec266bf7c0c2a2773db75dc162aa7da8a11bd80b8e3546570fbf22873887e7d20d7522074c41abe7382f9c7b226abaa6dd41e3

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            e6966e1944ef54d3823e4a80911415b5

                            SHA1

                            cb80f68ec8a526bde03bd2210a8ae991025ab11c

                            SHA256

                            e76a67997ceb670e0fc307a3e6b1ce552fa903fb38716ba3f7a5bbc004cc1d49

                            SHA512

                            03640cce0f84ed249f6d3c5cbad5e4994410b74298101ff243597af88c70ab6e2dd3dad89a317103b8714e6a49a451eb1551daedebb0c7e6c825a386bdf5f1c8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            e2c6e012b0f0ee9e67e972b1ecb086e0

                            SHA1

                            e6081bcdc1a4b991c7a3d561f5fd41325d9ae3f8

                            SHA256

                            c36a86420d24188e952ddfee9c6afd0652d32085813675d34cab259796945794

                            SHA512

                            4eb716ed0f3552885e89f0c95fb559d1a0f1cc85b41beafed005f1936e94a7d036720df4e5af409294225276778241959bdb6a6d22c9dc28288f21ddc25e02bc

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            784250411c182ce76e9412da86415965

                            SHA1

                            88481d041f23d858051946f3847d6490c95fd3fd

                            SHA256

                            cd9190fa4c985dcbadda9add2b0973e9fd83f38314e21e72adc6ebb65f028b05

                            SHA512

                            cc8fd8264ba31eee24a4094e2fbdbdbfb1a0db07e48ac5f1d944d412cf21da19b318347852fee6fb24dba2f15703d20faa0a745d18b60061f54dca0e54c0e70e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore.jsonlz4
                            Filesize

                            4KB

                            MD5

                            b1f8ba580793e59f9df5051a1e536677

                            SHA1

                            60fa935c69d515575fdcc20d3d3377a902cc2a18

                            SHA256

                            e9198b15a66d2794257a0ad6aa19f69ca4dc5e2d6e1c33cc04814f3b3679b7d7

                            SHA512

                            bf6fc1bfc283fb3dbe29a24ad57d34882e57ac00dbb147ce7d69047301a5f9e40bc10d8f25c908aad367a5ef1e68f46b7a473cab034075183e6a93c929d6102f

                            Download Submit