Resubmissions
23-02-2024 22:41
240223-2l9m3abe2w 1023-02-2024 22:40
240223-2lrr9aaf67 1023-02-2024 22:34
240223-2he92sbd2t 1023-02-2024 22:31
240223-2fhbmaae23 1023-02-2024 21:56
240223-1tc4dshf83 1023-02-2024 21:49
240223-1ptkksae41 1023-02-2024 21:42
240223-1kaxnshe54 1023-02-2024 21:34
240223-1e6r6ahd88 1023-02-2024 20:17
240223-y239fagd36 10Analysis
-
max time kernel
1797s -
max time network
1803s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-02-2024 22:40
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240221-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
3331918a0568c0d815a272bbcd21497f
-
SHA1
31b093fea6e6447fb4c232faa6d04db2e8549199
-
SHA256
e6c2602e22933912b73477dac66ed9ac50bf2de7a0254c8ac68d4034b3be7459
-
SHA512
27dbd0846d9f6e65909849b19bd4cec58f12477650b8bbae95bb8437ab5038e3f9029a3f5ef2cbaf55afa2b76ec1a367d9e3505a1d0047a880eb3d8d639b2024
-
SSDEEP
384:BLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epza:EqNN9ZMTczWtAbrM+rMRa8Nuqnt
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514" unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" unregmp2.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2516 netsh.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} unregmp2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2168 Server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 1876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1876 AUDIODG.EXE Token: 33 1876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1876 AUDIODG.EXE Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe Token: SeIncBasePriorityPrivilege 2168 Server.exe Token: 33 2168 Server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2616 wmplayer.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2516 2168 Server.exe 28 PID 2168 wrote to memory of 2516 2168 Server.exe 28 PID 2168 wrote to memory of 2516 2168 Server.exe 28 PID 2168 wrote to memory of 2516 2168 Server.exe 28 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2304 wrote to memory of 2324 2304 wmplayer.exe 42 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 2324 wrote to memory of 3048 2324 setup_wm.exe 45 PID 3048 wrote to memory of 2124 3048 unregmp2.exe 46 PID 3048 wrote to memory of 2124 3048 unregmp2.exe 46 PID 3048 wrote to memory of 2124 3048 unregmp2.exe 46 PID 3048 wrote to memory of 2124 3048 unregmp2.exe 46 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2324 wrote to memory of 2232 2324 setup_wm.exe 47 PID 2232 wrote to memory of 1044 2232 unregmp2.exe 48 PID 2232 wrote to memory of 1044 2232 unregmp2.exe 48 PID 2232 wrote to memory of 1044 2232 unregmp2.exe 48 PID 2232 wrote to memory of 1044 2232 unregmp2.exe 48 PID 2324 wrote to memory of 2616 2324 setup_wm.exe 49 PID 2324 wrote to memory of 2616 2324 setup_wm.exe 49 PID 2324 wrote to memory of 2616 2324 setup_wm.exe 49 PID 2324 wrote to memory of 2616 2324 setup_wm.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2516
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2592
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:2124
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\system32\unregmp2.exe" /PerformIndivIfNeeded3⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /PerformIndivIfNeeded /REENTRANT4⤵PID:1044
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Music\ExportComplete.wm3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D81C8585-B0F0-44BE-B1D1-40FE443E10DB}.jpg
Filesize23KB
MD5fd5fd28e41676618aac733b243ad54db
SHA1b2d69ad6a2e22c30ef1806ac4f990790c3b44763
SHA256a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431
SHA5124c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4
-
Filesize
1.0MB
MD5d01ce8738231e9ff5b39d030c9820cc3
SHA107a875a9686dbe5d69f5ee94574a1d4e8d520db7
SHA2566f316c04071312a56b8dae79b25a47d31ae88821a18f20401bdb78e0eff4dc1d
SHA512c07ae2e67e42926119ccab6ddac5de508805769c3afe813d69c5eb5d46a6c1d3ce5cc46d6e75b5f770d35e57416018b62480723fb7f08b7f7ca28a139b987076
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
3KB
MD59886576e66b81b25fd681b343d4fcada
SHA1e521b1d0564401d3674ceeab52e047a3d3be5ac4
SHA256d336097245b946c264031533e8fdb6c45da641b0ecea9107d119a87de9cc4b53
SHA5122d8355732f883b4b76c14ba53cce8224c76c2431c101ab948b812658eee2125cbe11dfce8ac0ba259b46ec2bfdf565903eecf79b8fe1abcfeb36d2d8854c6041
-
Filesize
309KB
MD58705248c19e5ee1b32ebcf606966d8c9
SHA19dd1731ce1ce803e386d16f3fc513eb0e82b039f
SHA256f87506719ad503481550ee959385eeb58645f65ca4e896406709c2bfab5747fc
SHA51210661e2e64e555e655f387e87374569c636acf2b10692194d6fcdf1bebbab459e5c9297ae965abe409d814746beb62a338fe56b6e2f9d01495f8a2884e7ba75d