Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 23:54
General
-
Target
Microsoft.HEVCVideoExtension_8wekyb3d8bbwe.x64.appx
-
Size
2.8MB
-
MD5
8062f8c41ab2483afadd598023149e2e
-
SHA1
1c48d07e224bfba32cd647a9f7e638fd95297ee3
-
SHA256
9f72f2e53d9c388d9ad56bd68a6738cc453db7924df17998857f0c9a1e24ed7a
-
SHA512
28939368223d4c0d6386f147b53a2c59cf4fff131c77908d2d672b1b3b5f852bda8b025bfc2c989973659860fc332ebb1ad4c93f54bb79ea372d0447e71f78f7
-
SSDEEP
49152:Vw8XvAppwIhXnllmy9ptFQ0DvfO5yzcmNHcHGbWzzmfm19i7J7iACan:Vw8XvAppwoXnllmgtG07fQ6cK8HGbW6j
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:AppsFolder\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe!App1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -p -pfm Microsoft.HEVCVideoExtension_8wekyb3d8bbwe1⤵
-
C:\Windows\system32\Clipup.exe"C:\Windows\system32\Clipup.exe" -p -pfm Microsoft.HEVCVideoExtension_8wekyb3d8bbwe -ppl C:\Windows\TEMP\tem5D91.tmp2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Downloads\JoinRemove.wm3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9b2eecd-c2c4-4d8c-baff-231f3ad8783d} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {397d0abf-1350-4dc3-8dec-990e0fbc18de} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3180 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e01f87e5-4204-41d9-b635-d1f4e29efad5} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4292 -childID 2 -isForBrowser -prefsHandle 4288 -prefMapHandle 4284 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13593620-64c5-4de6-a2f6-7536023672f9} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4728 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fb2fd90-611c-4c13-945b-5a849998b6b2} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5196 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {366daf03-1688-4b2d-8c16-15f833e18075} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64a2cbbd-0ed6-4692-817f-e118ab7188b1} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01949885-3c40-4325-8c8d-479b1093d76d} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6124 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ab193af-451d-4452-be97-b457ec96bd84} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530B
MD5a7c936ff9df636a433ec4a4a05b14d72
SHA19dea8ad840be302333fde52f11f7d4c305a5598b
SHA256a22965e591f64083bc8c743a6d1ad425dc455b9b8d7606597e338cb06db1bb83
SHA5120dfec83e98b9bf3f3b2fbef95f41d4b26d1e2cf710a0441eb24a3dd5c95850b0ff7301c2b0a2ab0017e048e4ec8ee183ebfdb84827e576ac9790f370da70fa3e
-
Filesize
256KB
MD50ecdeddfafb9600e962a6e3f8b0b1b7a
SHA19f335737bdad8231131df64823655869d272c078
SHA25668de6354c2872161a433b75e9bd8f0555c32648295cfbe29944deddff9a1fe0e
SHA512bf30318e2a78f6b4bb72e5d32d715a5d392b800422a88cd765c6eb6019bbec3a2b65c8ab876d748dc7aec7ac775cdfd6e7a66f5b5876c452bfc3ad734db9c331
-
Filesize
1024KB
MD5ed0be3eff9e0abbb44407f361044367c
SHA16d2d635d97b3b50c12a3c07ad1c27a60631b348a
SHA25635d4aef4166d54da48eed2217f7caf74027d2886fe73f2f7cd2b4a43e5fa9d92
SHA51283ee8e13f2134aa62bcef41936902cb6af8bb81246564c865bfeea0968cd683237a43ed3e607ae3f1bf21aedecb852eedbd235f1247568dbc40cfe37442bbfdf
-
Filesize
68KB
MD5e4f49f41d916b8ea1ea8d1a413045091
SHA1ccdd64c65c6b6c2d59d995a4ef6a3621f3aeeb0f
SHA256d6098dbaffc28304a32ea317a37f7832ca3eb76d17f6f963c8e9e9224b409303
SHA51231b2a843827e7683068cb1a73df61741e3c0dd304bd5c0138de3e338caff7040cec2e99c678f5dd7ce877b166dd136d4e3df07ab343f6b761fa0ab6426eccc98
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5abfaa6194ae29e0bb5647247519d3c12
SHA1ae119d0b159650f54ea8e55089b49493e45c7b78
SHA2563ebaff650d76d4715faa3ba806024c6c09d531e508be16a5cc9fe04c363dcd38
SHA512a6c08f7bb89047e36b551e6ef8828e346d1c80334e6c77638f4226b3a2fcb333ab1b760b023d041b622bcdb43d9d61eef1426b3fc584fc6c6f06c2a8167ab128
-
Filesize
1KB
MD583b1592d7408c82e3d2f0ec17ec1991c
SHA1a9ffff063a6af9c9ffba5c35dc47ded99fefcc55
SHA256724e85046d0fe86b8c3de9b7770651cb298bf13aa5d3b7222760d7bb47937863
SHA5128c7ac0bacfc1cd939d13c30b3734fccaddbf72c1e2fbfc3365328cc7b4e05e7453434c4bc7eac1e81ab77978a454c9f0a6c95d5d3a98fde2e4c834dc1d538d2e
-
Filesize
3KB
MD5a5583266b145427ffa6fbf6f4688e0da
SHA198cbd306ada2c712fc9ecc849d01df5da028adc5
SHA2567590532c639e173ab876a6789c9105cfe68d51a9edb08c83e25b93b10d545130
SHA512894910dcefa033a024bd2c9eeb83d93e33f57718ed3c551e0ade6318e81089ea8d7df529af7addec452a782cf6dae3e4a496faed0a8340e7f7d9db7ad2cfbdfe
-
Filesize
6KB
MD5caa95180346745174676b2c1f03d06bf
SHA1fefb0021665e8b20d96e7b41b05664f98e10bc7b
SHA256313499ffc7d31559ae5a7fb7b8860d4fa49bc204d89c93ee900f205e37713805
SHA51278a4cbef368729b046243e690e54cdce1de787705d08fd81c2e1ce94e627e19d7e29ddaaf4a4ca182bd0bd2972974ae6fe0169fc8e872ddb430268b5e36b6dfb
-
Filesize
5KB
MD5bd6266e230f762a73a4643b4937d60f8
SHA1c2e3a7a82de7bf12cfc70b839d1f2008578c5943
SHA256bfca67e48eb673db7f70c51c9adbdb8ed48f1ecadf5f4d66cc24fef2902b7817
SHA5120c141e89359619fa8a26f90d31beb59314313ccb881cf5ac9a2c7649c53f4089573296b5598b9f63ef86e6821cfdcfdbfb917f5a96d881d696c8396b97b23c76
-
Filesize
27KB
MD5cf772ce402e7d5ecc495df55b3b3cd29
SHA1e5821fd135a2e4ff1496a9e87749da3f9944851c
SHA256aceda00f1a1db827156acfbecce1e4ba4593566335a56a940d3f491c5da32dc9
SHA512895fdd3ded6bb8fffabe2bc0c15eb34966b97870b5620c1aabd82d195ae1651511dea90ab5e12edad661ed921666268634a1ae3d153b6908debe1a4c98e6e232
-
Filesize
982B
MD5c42d8bcafd7c4e84d0f1c25ca3cf89f3
SHA1654d0e7992a53e7eb9ab286284218bc5a13efc0e
SHA256016c16ce69edd95e06df55784dccb865633cfbee31b523438b571e2c13695eb7
SHA51255c2edd6c072abcb46c1c9b89bf3a5790595f4074a6005c4fc1bcebf78ebcf7af6e0c475e7379850c9fdc4c3cd2850a713e228d2b94c2281d2628ee964f86552
-
Filesize
671B
MD560e116fb21556dac0690456eaae3a36e
SHA1e5272046863396582c7aef5997a74b0328542122
SHA256eb6325e26206976a75abbcd1ceab82da6f597a6da7524cfd162bc9f561cba464
SHA51200551f1b46f6cd9caa2ffcf197638e781def30aa80817f28a3831b99f4d815e269cb9199f7d1cd677d7275c7a09fdf0cd69fe5d8f9d9af3be98a2d5be0f55fbb
-
Filesize
8KB
MD52096f4f898958c80b31350dc11cf13f6
SHA1e0109af05b1bd54d00474b58cee343fe1b199ef5
SHA2561efe594e489df7a5f23a7e5778c0db2acd50a75d284eca15a2809413ccff2a02
SHA512b748a7df5027346cb183f5788d39dadb478d04051fd6d16adac108c883b03b1c7cabf9aae86ad9dee5a38c33a1166c14f9ccd4f996f208e8d7c016571aca348c
-
Filesize
8KB
MD522958fb979c5c1870b52900a71345278
SHA1e5de1974b63f7020f8e7ad09f483ac977112257c
SHA256ad2b2dd19ee9c8aeaa55c90622d6328d582f26ee8daf4525e522b1b028ba04c0
SHA5120ffe83c3e976f269671e76ed5cbd8a58d84318a70ebe811cccfe7f404be774784db6c482c125ce667b1ca3543efcba1facaca83f23a0dbf3143664dc7a61953c
-
Filesize
32B
MD53a696dbd1a68a556870c204865719787
SHA1161f8934ed3fc5133b1d3b93c44ee2b8a482725a
SHA256d049946b7e31069d77406134dfcad4cdab5247777b1a560c7719b47f56dcc194
SHA512ffabbfc291f644f9b17df375bf4a1635b584ffcea9f544168e1c5b40ad637d29b86e1e8d6c57075eead2a1e0542508cca43204d3b795d5c290ffa7cbff18e529
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB