Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

robloxapp-...06.wmv

windows10-2004-x64

8

Analysis

  • max time kernel
    1792s
  • max time network
    1739s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2024, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    robloxapp-20240427-1215206.wmv

  • Size

    1.3MB

  • MD5

    ba3467a26a93352110441e571cec82f7

  • SHA1

    3e96c95516c47764abdd8ebe5f4cc312ba918cf2

  • SHA256

    c0dfbf24cba2de0c91e0e8e58e39105e2bb3a24516cb90b3264ffed45e0894d4

  • SHA512

    4de047ba613c4c546078ae74708e89fb66427ade7f639e0c05608b78a74fe0330566d0e66c490cf439bf1ee6dd8ee8c67d612a25d203ad2c9a3336c0c387fe07

  • SSDEEP

    24576:znrBTdiNRQBco954xjDLIEBwqTmqFQNHXeiZj/yoAOaRcVja0MpiM:zNRiMBco96PGGYQBRh0MYM

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240427-1215206.wmv"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240427-1215206.wmv"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Modifies Installed Components in the registry
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:2720
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:7 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240427-1215206.wmv"
        3⤵
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:5008
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:5012
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x320 0x4b8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    563088ad0f20fabf9dd62c6ba8ae1636

    SHA1

    f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

    SHA256

    eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

    SHA512

    8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    34a6a3c324a4f9386bd9f50f65a3006a

    SHA1

    1bca45065e99e946d84bb0ada4c37347751cc124

    SHA256

    37bf921fb1640024e5474dbd043bf9c337fdafc788319fcbc04c00a58e88cd9f

    SHA512

    861ddf532d4ae187239ce1617dc301a4baef1d6a73d1ac57e79791c17e97aa18651f6fc677902f83dee42216f6a57e851fbe33262344d54f90ae9153079dbcb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    e843f63ab6fdbbf0caf934a3891106d7

    SHA1

    9baaa9c63cf37e8e820a6f51dbcddfa8c4e46a46

    SHA256

    d72a54b7e9cea622adb6019ae7cdd76222de5082b645b747dcee3bdf5d449185

    SHA512

    476c122a1218ce32d6477485d258af63d0086fe258e2ccc287b6fd64be1b440e3c908fa59914bf0c3029d960ce379488fd51cd36b508b6c9aca802de299b685d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    7d548e96062c793278a720c80de37008

    SHA1

    cb3967b53bd4d8a5773ea39b233d6a1c9caabfdd

    SHA256

    f83fe92720888791b08fccff3cc47eebe92c606d4bae842e51512fd8fdd73fc2

    SHA512

    3c612cf661e47072983a0891bfacb4e3a59303de17d253b9062fd1aa6f627ecb55796403752b4b4f4a4bd81f036bcc7b09bc2488ea51b863f68240192d27200a

    Download Submit

  • memory/5008-43-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-45-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-44-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-46-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-47-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-48-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-50-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-49-0x0000000004360000-0x0000000004370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-51-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-52-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-54-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-53-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-56-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-55-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-58-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-57-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-61-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-60-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-62-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-63-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-65-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-64-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-66-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-67-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-69-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-68-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-71-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-70-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-72-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-73-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-75-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-74-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-76-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-77-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-79-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-78-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-81-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-80-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-82-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-83-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-85-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-84-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-86-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-87-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-89-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-88-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-91-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-90-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-92-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-93-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-94-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-95-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-97-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-96-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-98-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-99-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-100-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-101-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-102-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-103-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-104-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-105-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-106-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-107-0x0000000008B50000-0x0000000008B60000-memory.dmp

    Filesize

    64KB

    Download