Analysis Overview
SHA256
39f13b867408e02352716b6f29226c54588d7585b0d641ee2aa377d4d9f4dc77
Threat Level: Shows suspicious behavior
The file video_2024-06-06_21-58-03.avi was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 19:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 19:35
Reported
2024-06-15 19:38
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\video_2024-06-06_21-58-03.avi"
Network
Files
memory/2240-6-0x000007FEF8270000-0x000007FEF82A4000-memory.dmp
memory/2240-5-0x000000013F6A0000-0x000000013F798000-memory.dmp
memory/2240-8-0x000007FEFBDE0000-0x000007FEFBDF8000-memory.dmp
memory/2240-11-0x000007FEF8070000-0x000007FEF8087000-memory.dmp
memory/2240-10-0x000007FEF8090000-0x000007FEF80A1000-memory.dmp
memory/2240-9-0x000007FEFBA00000-0x000007FEFBA17000-memory.dmp
memory/2240-13-0x000007FEF73D0000-0x000007FEF73ED000-memory.dmp
memory/2240-12-0x000007FEF7850000-0x000007FEF7861000-memory.dmp
memory/2240-7-0x000007FEF6750000-0x000007FEF6A06000-memory.dmp
memory/2240-15-0x000007FEF73B0000-0x000007FEF73C1000-memory.dmp
memory/2240-14-0x000007FEF6540000-0x000007FEF674B000-memory.dmp
memory/2240-16-0x000007FEF7360000-0x000007FEF73A1000-memory.dmp
memory/2240-17-0x000007FEF6E60000-0x000007FEF6E81000-memory.dmp
memory/2240-18-0x000007FEF6E40000-0x000007FEF6E58000-memory.dmp
memory/2240-19-0x000007FEF6E20000-0x000007FEF6E31000-memory.dmp
memory/2240-20-0x000007FEF6E00000-0x000007FEF6E11000-memory.dmp
memory/2240-21-0x000007FEF6DE0000-0x000007FEF6DF1000-memory.dmp
memory/2240-22-0x000007FEF6DC0000-0x000007FEF6DDB000-memory.dmp
memory/2240-23-0x000007FEF6DA0000-0x000007FEF6DB1000-memory.dmp
memory/2240-24-0x000007FEF6D80000-0x000007FEF6D98000-memory.dmp
memory/2240-25-0x000007FEF6510000-0x000007FEF6540000-memory.dmp
memory/2240-28-0x000007FEF5370000-0x000007FEF53EC000-memory.dmp
memory/2240-27-0x000007FEF53F0000-0x000007FEF5457000-memory.dmp
memory/2240-29-0x000007FEF5350000-0x000007FEF5361000-memory.dmp
memory/2240-30-0x000007FEF52F0000-0x000007FEF5347000-memory.dmp
memory/2240-32-0x000007FEF5140000-0x000007FEF52C0000-memory.dmp
memory/2240-33-0x000007FEF5120000-0x000007FEF5137000-memory.dmp
memory/2240-31-0x000007FEF52C0000-0x000007FEF52E8000-memory.dmp
memory/2240-26-0x000007FEF5460000-0x000007FEF6510000-memory.dmp
memory/2240-55-0x000007FEF5460000-0x000007FEF6510000-memory.dmp
memory/2240-70-0x000000013F6A0000-0x000000013F798000-memory.dmp
memory/2240-71-0x000007FEF8270000-0x000007FEF82A4000-memory.dmp
memory/2240-72-0x000007FEF6750000-0x000007FEF6A06000-memory.dmp
memory/2240-73-0x000007FEF5460000-0x000007FEF6510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 19:35
Reported
2024-06-15 19:38
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:8 /Open "C:\Users\Admin\AppData\Local\Temp\video_2024-06-06_21-58-03.avi"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:8 /Open "C:\Users\Admin\AppData\Local\Temp\video_2024-06-06_21-58-03.avi"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 9029ed2c4977c11bbfff0f2b20e3ad38 |
| SHA1 | 7d39afcc289c82b83c69bda5f423da3685039d98 |
| SHA256 | b8fadafe9037390bc2750918c3bdd1c9ecfc4252f0b99d203a56207d7387b69f |
| SHA512 | 38d02df9b12f605dd552b18cca3eb04cd17c69eca7aac0181285bdb2155b76d5975769c4c79cc23ff3be05ef3eb0ec2de719647fa0e9d2c8cd1315f9ebb6e269 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 563088ad0f20fabf9dd62c6ba8ae1636 |
| SHA1 | f9cd2fd153afa1a12ff990cf27c32b8c9c44e878 |
| SHA256 | eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184 |
| SHA512 | 8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092 |