878cfe83aad6c5b30ee37d802bc14567e8593d80e02102d7c423908f6a3fb869

Resubmissions

14/10/2023, 11:48

231014-nyndpsde4x 6

14/10/2023, 11:44

231014-nwjbzadd9t 8

14/10/2023, 11:41

231014-ntrwbsfd89 6

Analysis

max time kernel
82s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cinematic-trailer-orchestra-by-infraction-no-copyright-music-glorious-hero.mp3
Size

2.5MB
MD5

9b2dddbb16c4bbd11888d273d6360590
SHA1

caf4189d34c26ba0d7cb5d246fded473e9733a1c
SHA256

878cfe83aad6c5b30ee37d802bc14567e8593d80e02102d7c423908f6a3fb869
SHA512

3352aa87c7e4913829d169f508418aeaedce5a352dde93fa76e1ed355cd31c5961d198b8928200f8b59b02a8ac21aa215a2438ac89c004f0a718b0f337d0317a
SSDEEP

49152:jKL1F3td7Nie3jpNsV6Vc2lKKomylm4YkrdXnvravpFE2LhABdSJbZ:UzXie3jxVtl3Glm43zavpBLSXcZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	unregmp2.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{36332F3D-BF63-4BF6-B274-59F98E1B07A6}	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	unregmp2.exe
Token: SeCreatePagefilePrivilege	4080	unregmp2.exe
Token: SeShutdownPrivilege	2404	wmplayer.exe
Token: SeCreatePagefilePrivilege	2404	wmplayer.exe
Token: 33	3744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3744	AUDIODG.EXE
Token: SeShutdownPrivilege	2404	wmplayer.exe
Token: SeCreatePagefilePrivilege	2404	wmplayer.exe
Token: SeShutdownPrivilege	2404	wmplayer.exe
Token: SeCreatePagefilePrivilege	2404	wmplayer.exe
Token: SeShutdownPrivilege	2404	wmplayer.exe
Token: SeCreatePagefilePrivilege	2404	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2404	wmplayer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 3120	3220	wmplayer.exe	84
PID 3220 wrote to memory of 3120	3220	wmplayer.exe	84
PID 3220 wrote to memory of 3120	3220	wmplayer.exe	84
PID 3220 wrote to memory of 4844	3220	wmplayer.exe	85
PID 3220 wrote to memory of 4844	3220	wmplayer.exe	85
PID 3220 wrote to memory of 4844	3220	wmplayer.exe	85
PID 4844 wrote to memory of 4080	4844	unregmp2.exe	86
PID 4844 wrote to memory of 4080	4844	unregmp2.exe	86
PID 3120 wrote to memory of 4660	3120	setup_wm.exe	92
PID 3120 wrote to memory of 4660	3120	setup_wm.exe	92
PID 3120 wrote to memory of 4660	3120	setup_wm.exe	92
PID 4660 wrote to memory of 1248	4660	unregmp2.exe	93
PID 4660 wrote to memory of 1248	4660	unregmp2.exe	93
PID 3120 wrote to memory of 2404	3120	setup_wm.exe	94
PID 3120 wrote to memory of 2404	3120	setup_wm.exe	94
PID 3120 wrote to memory of 2404	3120	setup_wm.exe	94

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\cinematic-trailer-orchestra-by-infraction-no-copyright-music-glorious-hero.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\cinematic-trailer-orchestra-by-infraction-no-copyright-music-glorious-hero.mp3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Modifies registry class
      PID:1248
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\cinematic-trailer-orchestra-by-infraction-no-copyright-music-glorious-hero.mp3"
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2404
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
fc240c081ec382df4b74d591d7d37a45

SHA1
396e9d8accb2ff8b32e6c3957808cb87d23ad47c

SHA256
8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

SHA512
d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
7cd35c9dcad479018ec21caae169bba5

SHA1
941bfbe72d8318d438fd09aec976a364e3f14991

SHA256
76576f617c371159377b3c6c187f44000faf16012346565a9987c9932d4fe290

SHA512
ed7a7ed5a5f5fd8960fdb767cace1c783593676570567ec9362d0415147ddd813f69ccb573f5329c7fdfab46445679ffb55310de08d53a24e19c209c11aaf396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
59bac69c464ebbfde4072d964a7b26b1

SHA1
890ed80cf1465778ef29dd6a4b0bd93ff317f5a2

SHA256
4193d5de02498cc129ddc520e60db43949b89e53282fdc2242031c7e2d49a78a

SHA512
d2e98181ae94b7fb4ee7d8886344a8bf2fc1e6b6961a1ed9489ba38b1fb32235aaefef4fb3031bcb8f0f31390269de5c2c54c03db711868a65610c49ffbb303c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
f640ec42f70ae68411249ed11e4e958e

SHA1
932171a96aade07aa30b591f32a4f175b7838489

SHA256
21765b38b7a658b9ca41e334308377b0b799309f5d7b5d8f55a572a08e9a02be

SHA512
fd90337cba9646f75ba8814cc800112fcbf7429e11687fd3513b2dc86d49fb545aa53499f088ed093c8803a0d06971d7786636c2741e4896aadde13631876220

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
2KB

MD5
eb309feeaa2ea9914d4052813ea4b4c9

SHA1
72b5eedfa1fca0fdd72feba338c1e82ccc77fdd6

SHA256
363e2c5ed0cef43e32bebaae12b022b561b4e5c414069864a1b4158759f95491

SHA512
fa63998b999498efd9a5ed53c3809f4ed5f0b8d07bd76ce5d87aae006690013d123750f5ac08c3a318ae16d16d3a188bb85c89ae6473a2b401100a993030fc04

Download Submit
memory/2404-49-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-47-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-46-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-50-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-51-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-52-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-53-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-45-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-43-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-68-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2404-69-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2404-77-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2404-76-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads