5827b8f87c888fa2666fa195574f614ef9870d1480b590906e336ea3338ad893

Resubmissions

28/04/2024, 12:14

240428-peeswsfe43 8

Analysis

max time kernel
7s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ETERNA.mp3
Size

5.6MB
MD5

ed383636189f35f157fcbb1239b0caff
SHA1

412b0a75394b19fa8d6381b0f90f5f6d79c2582c
SHA256

5827b8f87c888fa2666fa195574f614ef9870d1480b590906e336ea3338ad893
SHA512

b3b30cc49dfbb69ee225d239a91a7aac58c2439ab9493021dc410396fd4bbbaec690639f6e9c2eefb2992554f7d5d52731e55bab1cce7eb6a71ce4ca6d240af5
SSDEEP

98304:vezC2BgaPB8jkMNBRuTDYb2DYeVO8cXZLbb2rpM0+ZIU4jEvKG:vuBF+jrMYbe1cpLbq1MfbMdG

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{EBCE281A-7485-45C7-BB52-A41EA036E907}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1536	unregmp2.exe
Token: SeCreatePagefilePrivilege	1536	unregmp2.exe
Token: SeShutdownPrivilege	3000	wmplayer.exe
Token: SeCreatePagefilePrivilege	3000	wmplayer.exe
Token: 33	2664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2664	AUDIODG.EXE
Token: SeShutdownPrivilege	3000	wmplayer.exe
Token: SeCreatePagefilePrivilege	3000	wmplayer.exe
Token: SeShutdownPrivilege	3000	wmplayer.exe
Token: SeCreatePagefilePrivilege	3000	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3000	wmplayer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 5012	756	wmplayer.exe	79
PID 756 wrote to memory of 5012	756	wmplayer.exe	79
PID 756 wrote to memory of 5012	756	wmplayer.exe	79
PID 756 wrote to memory of 3876	756	wmplayer.exe	80
PID 756 wrote to memory of 3876	756	wmplayer.exe	80
PID 756 wrote to memory of 3876	756	wmplayer.exe	80
PID 3876 wrote to memory of 1536	3876	unregmp2.exe	81
PID 3876 wrote to memory of 1536	3876	unregmp2.exe	81
PID 5012 wrote to memory of 4896	5012	setup_wm.exe	83
PID 5012 wrote to memory of 4896	5012	setup_wm.exe	83
PID 5012 wrote to memory of 4896	5012	setup_wm.exe	83
PID 4896 wrote to memory of 4032	4896	unregmp2.exe	84
PID 4896 wrote to memory of 4032	4896	unregmp2.exe	84
PID 5012 wrote to memory of 3000	5012	setup_wm.exe	85
PID 5012 wrote to memory of 3000	5012	setup_wm.exe	85
PID 5012 wrote to memory of 3000	5012	setup_wm.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ETERNA.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ETERNA.mp3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Modifies registry class
      PID:4032
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ETERNA.mp3"
    3⤵
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3000
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
19d78b1eae63fd95e33c36ae0cad7aa8

SHA1
52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

SHA256
50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

SHA512
34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
61fe81b2e20b44b8c933046008edf13a

SHA1
1665840e8c9b9264c168454f0b5f6d239bd2e130

SHA256
2d51920af2fface79143d0565c68a76655644820281bea28678d89a260083e65

SHA512
17fa3f7e4284ca6d3bedb7be2515c47afe213661be10f273f9fd6efad444d6ccf3fe93967ed2705b745711ffe129408126e45cdc2e4a47ffd957a391334519ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
8aa54b08f6f1137e5fbabe1164a2766d

SHA1
424a652f136c7abb499851b5667440dc8875765a

SHA256
0304dfbfbfce67e157abac4279bba86bf4f2c565f89eaec4e8645abc858b4d5d

SHA512
15f9828c82384f27697b17a3c897341b1d8979dc8979a2308e86f79ae9e3ba82061644b73ebfdcb729fc74370adb10ff1b15929729adf890438d86e4ba650be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
2KB

MD5
3f9326f5b7b8a6ca1360687cd1272ef8

SHA1
dffdd9c6f65398d925bcf2664dac5c92d4e6b273

SHA256
e1a3119608114cdfff510be982eb5ba7948c17001f591ad67289d70d41347ccc

SHA512
5acba8917e66e305827c6f6f2aba783ac736d3a35fef0647113ecc810c6c91a14fb7539b31191d107133b016c37ea8065ac51afefe421230e075c1906445b608

Download Submit
memory/3000-45-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/3000-46-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/3000-44-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/3000-43-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/3000-47-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download
memory/3000-48-0x0000000003B60000-0x0000000003B70000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads