Malware Analysis Report

2024-10-16 06:35

Sample ID 240609-lw3z9shg32
Target videoplayback (1).m4a
SHA256 ef71fc04b1c1bc44f1d5c3d72cb94e5c58aab8504d45de5cc3d21ca32efb4597
Tags
evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

ef71fc04b1c1bc44f1d5c3d72cb94e5c58aab8504d45de5cc3d21ca32efb4597

Threat Level: Shows suspicious behavior

The file videoplayback (1).m4a was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Enumerates connected drives

Resource Forking

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 09:53

Signatures

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

android-x64-arm64-20240603-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

0s

Max time network

1s

Command Line

[/tmp/videoplayback (1).m4a]

Signatures

N/A

Processes

/tmp/videoplayback (1).m4a

[/tmp/videoplayback (1).m4a]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

ubuntu2204-amd64-20240522.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

ubuntu2404-amd64-20240523-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:57

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\System32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 0ac0f35690ececc5426759bb3269c6c9
SHA1 11baadbb042160ce40b5bb1f0d38c434c5397abf
SHA256 4e70c52a1fd05a49de6c38911983041cc1f7f64d8db1d0964022016bf8bb0fe3
SHA512 8b861dffbc26c10cf64e2cc52a610c43abc522876f4708a90921215ac75c79f00ea6beb897a60ce7f6ec8c6eb0fd85ecc7070a7fa10ded9f6e419fe015c87c7c

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 0e807656bd86f2aef7ccf207f963973b
SHA1 27052af8d103d134369e356b793eb88ba873df55
SHA256 c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512 e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

android-x64-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

debian12-mipsel-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:57

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 1cc6ccffb2cdc30bbebca2fbe1422023
SHA1 bbcbd5da194b3fe2056d36c795710286d9f9aac9
SHA256 e98678c0fc3832b57f54aef2a12cd1d1f6c0cd616ce7f14c385757f8ad39be3d
SHA512 aba650d739e118fe373509f339d728ecf84e3f38d9956d6b50c5873ad6495a679c5f2b85b982a85b3f0864ce0d3f5e32b465b13aac65169cf1603430ded19b57

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:57

Platform

win11-20240426-en

Max time kernel

90s

Max time network

93s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 0fc86142cbbca12ebe3cc4cf2c06e4e8
SHA1 87af83ba26f90567012e9bd06f705c885b8bdf1f
SHA256 aab24d48774a04a5adb7d3767e92184e0c6accab48d5a481c3ca96c34535b2f6
SHA512 34ff88d630d2e516bf405bd9c9f9f243722e2195505c35ff4c94866323290c872b5a367c38a74f2f59ab143412edd94b9a89aa5308a7a29e1504457be44342c3

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 bbb416e94d91b0dfbb49e250efb4e183
SHA1 bbf9700fd646ed2de62e7efc230b578e7cb5d414
SHA256 82302657180df4c8f2f81df34d3150f263b1a51773fc168b0b639906163d0dd5
SHA512 13d07ae391a9429f508a052aa7c6fa39fdc1d18963e2697f7918229dbebcaf937c65fa4209099178a9ca66e8ccb48544f24a073ca24837e65983f1517b054d3f

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

android-x86-arm-20240603-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

debian12-armhf-20240221-en

Max time network

14s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

0s

Command Line

[/tmp/videoplayback (1).m4a]

Signatures

N/A

Processes

/tmp/videoplayback (1).m4a

[/tmp/videoplayback (1).m4a]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:57

Platform

win7-20240221-en

Max time kernel

141s

Max time network

131s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\videoplayback (1).m4a"

Network

N/A

Files

memory/2892-5-0x000000013FE20000-0x000000013FF18000-memory.dmp

memory/2892-6-0x000007FEFAEC0000-0x000007FEFAEF4000-memory.dmp

memory/2892-8-0x000007FEFB2D0000-0x000007FEFB2E8000-memory.dmp

memory/2892-13-0x000007FEF74F0000-0x000007FEF750D000-memory.dmp

memory/2892-14-0x000007FEF74D0000-0x000007FEF74E1000-memory.dmp

memory/2892-12-0x000007FEF7590000-0x000007FEF75A1000-memory.dmp

memory/2892-9-0x000007FEFB010000-0x000007FEFB027000-memory.dmp

memory/2892-11-0x000007FEF75B0000-0x000007FEF75C7000-memory.dmp

memory/2892-10-0x000007FEF7680000-0x000007FEF7691000-memory.dmp

memory/2892-7-0x000007FEF5C00000-0x000007FEF5EB4000-memory.dmp

memory/2892-17-0x000007FEF7490000-0x000007FEF74CF000-memory.dmp

memory/2892-16-0x000007FEF5A00000-0x000007FEF5C00000-memory.dmp

memory/2892-30-0x000007FEF6810000-0x000007FEF6866000-memory.dmp

memory/2892-29-0x000007FEF6DE0000-0x000007FEF6DF1000-memory.dmp

memory/2892-28-0x000007FEF62D0000-0x000007FEF633F000-memory.dmp

memory/2892-27-0x000007FEF6380000-0x000007FEF63E7000-memory.dmp

memory/2892-26-0x000007FEF6870000-0x000007FEF68A0000-memory.dmp

memory/2892-25-0x000007FEF6E00000-0x000007FEF6E18000-memory.dmp

memory/2892-24-0x000007FEF6E20000-0x000007FEF6E31000-memory.dmp

memory/2892-23-0x000007FEF6E40000-0x000007FEF6E5B000-memory.dmp

memory/2892-15-0x000007FEF4780000-0x000007FEF582B000-memory.dmp

memory/2892-46-0x000007FEF43B0000-0x000007FEF43C2000-memory.dmp

memory/2892-45-0x000007FEF43D0000-0x000007FEF43E1000-memory.dmp

memory/2892-44-0x000007FEF4410000-0x000007FEF4425000-memory.dmp

memory/2892-43-0x000007FEF4430000-0x000007FEF4480000-memory.dmp

memory/2892-42-0x000007FEF4480000-0x000007FEF4494000-memory.dmp

memory/2892-41-0x000007FEF5910000-0x000007FEF5923000-memory.dmp

memory/2892-40-0x000007FEF44A0000-0x000007FEF450D000-memory.dmp

memory/2892-31-0x000007FEF4600000-0x000007FEF4778000-memory.dmp

memory/2892-39-0x000007FEF4510000-0x000007FEF4572000-memory.dmp

memory/2892-38-0x000007FEF4580000-0x000007FEF45F5000-memory.dmp

memory/2892-37-0x000007FEF5930000-0x000007FEF59F5000-memory.dmp

memory/2892-36-0x000007FEF6240000-0x000007FEF6256000-memory.dmp

memory/2892-35-0x000007FEF6260000-0x000007FEF6271000-memory.dmp

memory/2892-34-0x000007FEF6280000-0x000007FEF62AF000-memory.dmp

memory/2892-33-0x000007FEFB230000-0x000007FEFB240000-memory.dmp

memory/2892-32-0x000007FEF62B0000-0x000007FEF62C7000-memory.dmp

memory/2892-22-0x000007FEF6E60000-0x000007FEF6E71000-memory.dmp

memory/2892-21-0x000007FEF6E80000-0x000007FEF6E91000-memory.dmp

memory/2892-47-0x000007FEF4230000-0x000007FEF43AA000-memory.dmp

memory/2892-20-0x000007FEF73B0000-0x000007FEF73C1000-memory.dmp

memory/2892-19-0x000007FEF73D0000-0x000007FEF73E8000-memory.dmp

memory/2892-18-0x000007FEF73F0000-0x000007FEF7411000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:54

Platform

android-33-x64-arm64-20240603-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-09 09:53

Reported

2024-06-09 09:57

Platform

macos-20240410-en

Max time kernel

134s

Max time network

149s

Command Line

[/usr/libexec/dmd]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/usr/libexec/dmd

[/usr/libexec/dmd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/videoplayback (1).m4a"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/videoplayback (1).m4a"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/videoplayback (1).m4a]

/bin/zsh

[/bin/zsh -c /Users/run/videoplayback (1).m4a]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
NL 23.209.125.28:443 tcp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 104.91.71.135:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1285.xml

MD5 9a43af57707d2fb460832049d1f217d1
SHA1 056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA256 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA512 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 2aed25b5aa33232c29a33e5c4a9891b6
SHA1 5af7fc83503d7d550918d65d5e50c6accc1e2a48
SHA256 f7aa5f5e6e0f1c2f2fe851dea12dcff3094522f73a18248d11d8575b2e6a10a2
SHA512 87f45f1d43ad42b810e8edac4549045ff2d8e3d746a4ab9dce8f6a48f081f91f2cedb6ffd3dfcaa18488eb05550922e3a345aaecc3087bccc067b67741667e95