Overview
overview
6Static
static
19375a86ba8682fe.mp3
windows10-1703-x64
69375a86ba8682fe.mp3
windows7-x64
19375a86ba8682fe.mp3
android-9-x86
9375a86ba8682fe.mp3
macos-10.15-amd64
19375a86ba8682fe.mp3
ubuntu-18.04-amd64
9375a86ba8682fe.mp3
debian-9-armhf
9375a86ba8682fe.mp3
debian-9-mips
9375a86ba8682fe.mp3
debian-9-mipsel
Analysis
-
max time kernel
129s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
19-06-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
9375a86ba8682fe.mp3
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
9375a86ba8682fe.mp3
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
9375a86ba8682fe.mp3
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral4
Sample
9375a86ba8682fe.mp3
Resource
macos-20240611-en
Behavioral task
behavioral5
Sample
9375a86ba8682fe.mp3
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral6
Sample
9375a86ba8682fe.mp3
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral7
Sample
9375a86ba8682fe.mp3
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral8
Sample
9375a86ba8682fe.mp3
Resource
debian9-mipsel-20240418-en
General
-
Target
9375a86ba8682fe.mp3
-
Size
500KB
-
MD5
d5aa6db98c337e30c4c56ff3154d504d
-
SHA1
eb8195a092370e5010a4e1703b0ba142c1e4d16c
-
SHA256
a97b00ee3561353942fab71041e7e48d8b4da2a3ee51523d011541b6c8f45159
-
SHA512
4a9c47214c1f74c7137f206c646f435228fc0480ec2aa687f9c9e17898f1ae0c834190a28d5f2e90c742b1d39d109275b25ae6e51c62414aef7d354123fad04c
-
SSDEEP
12288:i8IRLEXuGx5k9ZwtCbobJVzpvy3JcpCMxjgUs1X6p2puGJ+:dIhyuctYoNVNv5CCnyqpAJ+
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
Processes:
wmplayer.exedescription ioc process File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exewmplayer.exedescription ioc process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
wmplayer.exeunregmp2.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2980 wmplayer.exe Token: SeCreatePagefilePrivilege 2980 wmplayer.exe Token: SeShutdownPrivilege 4332 unregmp2.exe Token: SeCreatePagefilePrivilege 4332 unregmp2.exe Token: 33 3556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3556 AUDIODG.EXE Token: SeShutdownPrivilege 2980 wmplayer.exe Token: SeCreatePagefilePrivilege 2980 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
wmplayer.exepid process 2980 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmplayer.exeunregmp2.exedescription pid process target process PID 2980 wrote to memory of 3708 2980 wmplayer.exe unregmp2.exe PID 2980 wrote to memory of 3708 2980 wmplayer.exe unregmp2.exe PID 2980 wrote to memory of 3708 2980 wmplayer.exe unregmp2.exe PID 3708 wrote to memory of 4332 3708 unregmp2.exe unregmp2.exe PID 3708 wrote to memory of 4332 3708 unregmp2.exe unregmp2.exe
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\9375a86ba8682fe.mp3"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵
- Drops file in Windows directory
PID:1568
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD598df921f667bf303621c789390ed9f2e
SHA1d9c82e51534cf1c2eb5a255286de6a09ca364d1a
SHA2568b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3
SHA51258e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796
-
Filesize
1024KB
MD5c5d9f411dacbaebef9cede46eb33f42d
SHA1871909956a1dde981958ea88813abc333cd2877b
SHA256b41ae524a0abba72ff43c36f33d7a80cea06d9dfefe88d9ddec85bd875c01a6d
SHA51280cbfcf61adc8be359c0ff162d7cb71902d527f268213cd84c33896bd7aa5db8458e5f1464b545a71d0be9dcd5493e1e2d86dc7366d71f8ea134dc8b097e51a2
-
Filesize
68KB
MD56b4cdbd9d2a70feada4390d1cad4cb3f
SHA1431defcfb4211237a9a4e7258f70ae13fe839086
SHA256f7f9f828968dc5cb2a40ecf66855ab80e6c22a387332856152122eb41abe31db
SHA5123674f90ad1ecfb9706ef218e43864ab5f6859be3ad36ddcd34b3f7dc0d607a52d949975b60a8ed856decf7bba4642641fdeef192ef9fdc6477aa8a683e8424ce
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD57b3f2fea9a840d62c1bd18215a841a16
SHA17398ba3f8bdc5bac04b4e9cee6db4e920ff65c91
SHA2560df83587cbc16cf9dd5fdd7e5a073dd7d214fdf6e29084130984959ccfb00d40
SHA5123aabe3e031b6ff54fb29f49a2c2f5a64e3276f8bf66ad9a7658bf42be03fb0cb597012bb4d0564ab0893cc5441680de4ad6150a61f3689643d8813565fc84ac4