052e54df0b86483f84bbff6504e202c36e7bc25885e369e830dd7086fb7c7562

Analysis

max time kernel
595s
max time network
446s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Size

1.2MB
MD5

03fa2aa90ad1ce098de68893d83f701d
SHA1

915306065ac728701614ed4fe03a03168d95bb84
SHA256

f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1
SHA512

db96240a0f996b82ce29e9c0d3da50fd5c26a4cc799ad85e8cc362e6f931fee643a6f3dc452f8000b38f0e4969b8181b51225ccf749c17febbb3afd15d3deac4
SSDEEP

12288:e5EzeaAcdXmZM1KNrtTCXSnny5doEqXfei/ElljPFnF42s2Bx0teS:0244/gPHoIuS

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

Processes:

WindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exeWindowsMediaPlayer.exe

pid	process
1396	WindowsMediaPlayer.exe
3212	WindowsMediaPlayer.exe
1548	WindowsMediaPlayer.exe
2140	WindowsMediaPlayer.exe
4972	WindowsMediaPlayer.exe
4868	WindowsMediaPlayer.exe
876	WindowsMediaPlayer.exe
3920	WindowsMediaPlayer.exe
4548	WindowsMediaPlayer.exe
3244	WindowsMediaPlayer.exe
932	WindowsMediaPlayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WindowsMediaPlayer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\StuchH = "C:\\Users\\Admin\\AppData\\Local\\Windows Media Player ver4.51\\WindowsMediaPlayer.exe"	WindowsMediaPlayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3096 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WindowsMediaPlayer.exe

pid process

1396 WindowsMediaPlayer.exe

pid	process
3096	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exeWindowsMediaPlayer.exe

description	pid	process
Token: SeDebugPrivilege	2836	f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Token: SeDebugPrivilege	1396	WindowsMediaPlayer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exeWindowsMediaPlayer.exe

description	pid	process	target process
PID 2836 wrote to memory of 1396	2836	f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe	WindowsMediaPlayer.exe
PID 2836 wrote to memory of 1396	2836	f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe	WindowsMediaPlayer.exe
PID 1396 wrote to memory of 3096	1396	WindowsMediaPlayer.exe	schtasks.exe
PID 1396 wrote to memory of 3096	1396	WindowsMediaPlayer.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
"C:\Users\Admin\AppData\Local\Temp\f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
  "C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Service binary ver9.95" /tr "'C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe"'/f
    3⤵
    - Creates scheduled task(s)
    PID:3096

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:3212

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:876

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:4548

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:3244

C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe
"C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe" /f
1⤵
- Executes dropped EXE
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsMediaPlayer.exe.log

Filesize
660B

MD5
284393596fdd49bebd7b861bf339b82d

SHA1
a36767dfc423b3c7fd3ff439b616862743a053c8

SHA256
0e692bcbba51ca4e766a427c9f28a7a4a9e326d2cf835493e57a9dc2121326b5

SHA512
8d3247ee0c3bf9a9fceea23eb5c646dbd8b3d954f4d62622f49070629e642d6a13bfb0d27949e2355c081d45f5a1101f05a9972782a0f0a478ed90f551d2efeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1ED4CFA3B6B1948A0F

Filesize
268B

MD5
944c080ac44b97602fb05b1ff5557171

SHA1
493945751f4dca6d21696b2c20c70d62d0f69c58

SHA256
e13aa2d0d1c4e5755e3515d85d4809859c05f8af38498e9513c0d85dba048458

SHA512
8be7e4326fac638c70a29671ed27b25dbd4f192aadec4733f8e89881d3171d4730961c7666ba9404dd579cf23362fb0bea8d0f94cd80c55d0a10498defb16b9c

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
1.5MB

MD5
c258620f1cb9b0b78d33cb7122d340b8

SHA1
f6c6dccc4be5a12798b2c4bb9c30252714e2db29

SHA256
4bf040bbb10c6dc30161c861dd468f01d39dc58bf9098f4e78e5b02b929dd956

SHA512
34a27e54ee2bc0875d06e8e74ba07c3b9b0e14e7b7a265237036cbc6bc570f1918b6e1b980ebc83251fea22ea78c23217ebcf482950757a09ae63cc1b5b045f6

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
1.4MB

MD5
a4ae7dae20dc20aca8f75da872fe4d01

SHA1
0e4b21d17cd6fae284d96a3b16cf90f6cfd5e667

SHA256
9693b25b9c0c8d229775252007abcfa082e0708853c67fbcc7d1b7055c9c91de

SHA512
3d3f2edd954f6b9c69bbaff184d0a58b66d2e3c45d5427a911e91a805f837d47ae801baffb1ec233551fc8ead8925c8966b57f80a0af52fb1172196606f85f81

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
1.0MB

MD5
7e84d2f3b9fd8b8d98330264a004fbed

SHA1
bcce84ab0d9b7483b1bb9d2e79d94e7cf364e49f

SHA256
9a4dbcbc917ef48fd6baf87c98fa0aa32565eb1efa6846f53cc706efd3ba9064

SHA512
7d9574c508c4e8516ee816cc8d19a96df6b5c2e91889ee6ab036d9fcdfa10d4b716580b2e8bb24a3349f9e7346f1a3fad55fcc3deb2c51d6b69acfc53c7c85b7

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
669KB

MD5
7b55291765b35e03e1fd6be785f81d6a

SHA1
a685ea877e8db24f476f6bf2d8be9113559b328b

SHA256
b8e81ec0eeec709f1339cefb35c9b8cb98135208006cc89905afb0b7d827c8e5

SHA512
a6ba837b8f775efe12bc74bd4b29ac748b7e2264a7273f6d132597440bd4f30076057733644cbe6e45c1912c7741b0423eb0698404abc9bea610fa48fe648fc9

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
2.0MB

MD5
e8c17655e81b430e3b4373167501cc1a

SHA1
5a83f80175f8f9d0d75f295535f0bd44c71d77bc

SHA256
f87b096d8e13cfee30f44d76201d31ff614ebce8e114fbea43c882f6b524e61e

SHA512
ac6abf20a9fb474366c2a30af5961ca8f271412b22289f6215ebeb5f9d0b6fe4f8d8bc6e00b41568811c5f6402a2bad24309117bfd1acfc7563211df212f9fd0

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
1.2MB

MD5
99df96b1dfc80e94740980cae21b780e

SHA1
bc4c3b68e63042d6f617577b33f563a689aebcbe

SHA256
270cec21bb0ced59fef321bd1b43d35dd61b376b987f9af049306878e13b089c

SHA512
407c16d72c5bd9207d9ee304baeef3e82a44e5be0d0d3d7c837c32e727154b2ff170beeec80981bc7f0853c242ff456b8e0b76d821cab8898599101f210ca704

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
1.1MB

MD5
6ca882d4bded8871d9c85efa45edd752

SHA1
ae71060f735f29dbd19579360357910bd89cc579

SHA256
ff02aefe1737ddbecd86dc837c76f8df45afe1ef4322ea1c20caefad9addb1c6

SHA512
c54998ffc7a0085cfdb987f0b942c895e191f607d7d850165eb7f7cab5edbbf5b84a55183b002caa25b0c11d2a10382d183cc67ceb2a6f498fb65b41c90bc179

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
713KB

MD5
898d86c8c7d27a969c2552bf0dd320b7

SHA1
ab500b4968903d1ce68dd7322774bb16ae61ddc1

SHA256
17a4d67ab95784c128087cb3279e75f13412219f40a455d9818c2c4beddab266

SHA512
a44984118f15d9d9977dabed624958d7f580c121b44c56ec8d1533f0927ab717747f661293de9c62ecacab7da2bae7ae5bfb7ba90e29fb666960846b7c760d49

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
552KB

MD5
01813aadc6f183dc30cdd063da40ad72

SHA1
9a58cb78efd2ae1e2c02b02c13f6f25bccaea33c

SHA256
ec1f7ffa54b400554a72c56d91affcf6eab5ac0b79ac07adb2cb16276c4f43fd

SHA512
adc2425dd63b6da6b13a9c1f61bb73107450714ef6c2efdb7300474851f4ef5dcfb252be9d9f244257cdd49f2952c114eedc70a2fbe613dce5565bdc414f46bc

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
766KB

MD5
3859d6904d08484f14e4d1da5619365f

SHA1
ea24fa7e2368e6734cb236f9f8f35d40f76a7dd5

SHA256
26911ad7473971cad5a983c7855ef15569190b1e8436276c0beef258d8a4e2d7

SHA512
5f5d4c41b909e5856b674cc0022b9d1f8c4b43b0821dd31d083d1b224cddfcb5fc161f13bf6b168976f050af46349ce50f3ac95af2083f5343288cc5562dccd8

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
537KB

MD5
01cbeffaf6afad92536148b52ace05a6

SHA1
9d59bfda9a3132ef29080e1901af0e06c4410c2c

SHA256
c34bdbf648cc5a7bb24a86cd96db7c1c55e9b4fc3869be8a573441e8100fdb12

SHA512
a91b654ab9c7643d71ef8db6c8f65eb5ffe145f121b1e65817556c6399895717290e95b0e29a7eda734552dcd568e1deb45ac7b0ebb456bd9df3af4b749db9b2

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
786KB

MD5
f927814d828111633f2e074e97683766

SHA1
c0f4b293810431da1874be8c59aaa18d29485f60

SHA256
5570121084c8cd4b1d97b40eb33c3f493aa43c73618dbb959c3dff3d0a04fa6c

SHA512
0b329871c72e843a2876bc84103a67f3bbef6613515e8c58ff690e06e76bf20f4fb4ad9201521b64cd569ebb5c545e9e35efa4fb70f8deddfef17d1e80c10890

Download Submit
C:\Users\Admin\AppData\Local\Windows Media Player ver4.51\WindowsMediaPlayer.exe

Filesize
12.3MB

MD5
0b02bd49089936e93c04f81ea1a26c04

SHA1
37fbdb56b7b95ee26ff02c37c4ffa1ed6a1498f6

SHA256
f8d1656c958550e3365d4070e488e4044ce1508024399c6dea338dc571db453f

SHA512
81562ea28411261e956ae2e012c5fad61ecfaefd7587bcba37afe5b8dcf120bc77ad5052c6bad430a1abdabe1d7f1d1999dca2d73c2809dddd63206b1d344b6e

Download Submit
memory/876-43-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/876-44-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/932-55-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/1396-23-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/1396-22-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/1396-20-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/1396-24-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/1548-32-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/1548-31-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/2140-35-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/2140-34-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/2836-1-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/2836-4-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/2836-0-0x00000000005E0000-0x000000000071A000-memory.dmp

Filesize
1.2MB

Download
memory/2836-19-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3212-28-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3212-26-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3244-53-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3244-52-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3920-46-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/3920-47-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4548-49-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4548-50-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4868-41-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4868-40-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4972-38-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download
memory/4972-37-0x00007FFC1FDD0000-0x00007FFC20892000-memory.dmp

Filesize
10.8MB

Download