008edfc7f5ddee99f159ce144bfea2d812827e79aebe6b2a8e9c997876b280a5

General

Target

clip_12.mp4
Size

62.6MB
MD5

c790f7e78bc06de9b8c1e23e5be7c822
SHA1

a9d73b1901fe9a39b8945fa4299af11416f48eb6
SHA256

008edfc7f5ddee99f159ce144bfea2d812827e79aebe6b2a8e9c997876b280a5
SHA512

2ef762f374a9ea3f26872475b134dd7317f25c8d050798f856771562875352aa3849a1c4811703f32095ebb86da31a5cbb20b4a7b1f7ba18d17581f37804dce3
SSDEEP

1572864:sDy3/lM5Z4BynOjorIBWfO+1QI5PD8eDMIqvR2+kk2wzycGDoehfDIiIFw:sDpTMynOjorISO+P7VDMZ2C2wFGDuhw

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2472	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2472	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4032	unregmp2.exe
Token: SeCreatePagefilePrivilege	4032	unregmp2.exe
Token: 33	2840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2840	AUDIODG.EXE
Token: 33	2472	vlc.exe
Token: SeIncBasePriorityPrivilege	2472	vlc.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe
2472	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4824	3684	wmplayer.exe	84
PID 3684 wrote to memory of 4824	3684	wmplayer.exe	84
PID 3684 wrote to memory of 4824	3684	wmplayer.exe	84
PID 3684 wrote to memory of 4684	3684	wmplayer.exe	85
PID 3684 wrote to memory of 4684	3684	wmplayer.exe	85
PID 3684 wrote to memory of 4684	3684	wmplayer.exe	85
PID 4684 wrote to memory of 4032	4684	unregmp2.exe	86
PID 4684 wrote to memory of 4032	4684	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\clip_12.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\clip_12.mp4"
  2⤵
  PID:4824
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4204

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\clip_12.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
c374c25875887db7d072033f817b6ce1

SHA1
3a6d10268f30e42f973dadf044dba7497e05cdaf

SHA256
05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

SHA512
6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3df8e3b4e07b4eec39689bd8deb53241

SHA1
51f1672847cde079bf85f983b1e122968be2d6b0

SHA256
0a3a2c64ed419c3a75df6c1f9582d7db3357a09211ece2b8e002dfbbbced580c

SHA512
fc2ee24691737c66348b6889f161990afbbea5f15911fdb738195bbbe1d3f591aacb4218808ac8802ba3c01efedf97597b5660ee169500ae0740498da11e59c2

Download Submit
memory/2472-42-0x00007FF909AE0000-0x00007FF909AF7000-memory.dmp

Filesize
92KB

Download
memory/2472-55-0x00007FF8F8A30000-0x00007FF8F8A41000-memory.dmp

Filesize
68KB

Download
memory/2472-47-0x00007FF8FAA60000-0x00007FF8FAA71000-memory.dmp

Filesize
68KB

Download
memory/2472-46-0x00007FF8FB570000-0x00007FF8FB58D000-memory.dmp

Filesize
116KB

Download
memory/2472-40-0x00007FF8FA340000-0x00007FF8FA5F6000-memory.dmp

Filesize
2.7MB

Download
memory/2472-45-0x00007FF8FB590000-0x00007FF8FB5A1000-memory.dmp

Filesize
68KB

Download
memory/2472-48-0x00007FF8F9F40000-0x00007FF8FA14B000-memory.dmp

Filesize
2.0MB

Download
memory/2472-44-0x00007FF901080000-0x00007FF901097000-memory.dmp

Filesize
92KB

Download
memory/2472-43-0x00007FF909460000-0x00007FF909471000-memory.dmp

Filesize
68KB

Download
memory/2472-39-0x00007FF900A00000-0x00007FF900A34000-memory.dmp

Filesize
208KB

Download
memory/2472-41-0x00007FF90EA40000-0x00007FF90EA58000-memory.dmp

Filesize
96KB

Download
memory/2472-38-0x00007FF76BB40000-0x00007FF76BC38000-memory.dmp

Filesize
992KB

Download
memory/2472-54-0x00007FF8F8A50000-0x00007FF8F8A61000-memory.dmp

Filesize
68KB

Download
memory/2472-56-0x000001F747C20000-0x000001F747D9A000-memory.dmp

Filesize
1.5MB

Download
memory/2472-53-0x00007FF8F9EA0000-0x00007FF8F9EB1000-memory.dmp

Filesize
68KB

Download
memory/2472-52-0x00007FF8FAA40000-0x00007FF8FAA58000-memory.dmp

Filesize
96KB

Download
memory/2472-51-0x00007FF8F9EC0000-0x00007FF8F9EE1000-memory.dmp

Filesize
132KB

Download
memory/2472-50-0x00007FF8F9EF0000-0x00007FF8F9F31000-memory.dmp

Filesize
260KB

Download
memory/2472-49-0x00007FF8F8A70000-0x00007FF8F9B20000-memory.dmp

Filesize
16.7MB

Download
memory/2472-64-0x00007FF76BB40000-0x00007FF76BC38000-memory.dmp

Filesize
992KB

Download
memory/2472-65-0x00007FF900A00000-0x00007FF900A34000-memory.dmp

Filesize
208KB

Download
memory/2472-66-0x00007FF8FA340000-0x00007FF8FA5F6000-memory.dmp

Filesize
2.7MB

Download
memory/2472-67-0x00007FF8F8A70000-0x00007FF8F9B20000-memory.dmp

Filesize
16.7MB

Download

Resubmissions

Analysis

Sharing