Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

mas.mp4

windows11-21h2-x64

8

Resubmissions

25/06/2024, 08:07

240625-jz19qs1enl 1

25/06/2024, 08:05

240625-jy1a2sxhle 8

Analysis

  • max time kernel
    41s
  • max time network
    33s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/06/2024, 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mas.mp4

  • Size

    865KB

  • MD5

    eaccf7b56b33bbc93848c9766bc82bc7

  • SHA1

    17cc4e2b512cfa7ff0d7a7b1c0a62d6cde829bc7

  • SHA256

    353cc078aef30e067439ac166d47612ee05065731f13ab1397b5222a8072b58d

  • SHA512

    c193196a3bf189a9857bf46ba9b48460a57a82ba19f9d3aa431d0f13d74cab88729e12f1f6089c25534c91a6f6eb7096ffb5d36e257b9109345f506542a4bdd3

  • SSDEEP

    24576:Xd09m7KxWoUuHCc9O+VAimAfZzfT1QKFhs3KNFVxGxXYDeRX:N0uKxLUuic9bVAimA5fh3dNbgxID4

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\mas.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\mas.mp4"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:4256
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\mas.mp4"
        3⤵
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1436
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:2412
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004B4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4752
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      64KB

      MD5

      066f6e5acfff197d12b550ef7d452d41

      SHA1

      aaa8cfa5a56519594490d069f31a42a15ca515a2

      SHA256

      cac3a8354c7766b4ce0900bf4d8097bf372ec405a6af4bba63a6d92132932a30

      SHA512

      21c3985bdc883b7c0fcdfb660a577eb03870943d9e812a24726158b6c06cc36b00425fdeafddcb099fddd1488173280563f7241c9589e69d04d1eb1b5daa786b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      1024KB

      MD5

      b54a0c0dbc840838347f00027a86a223

      SHA1

      2ad942c111bc3224606607a1cc0686a0fdad29c9

      SHA256

      1b93292193a91c28fcbc51682a4f31b9ecd31b96056225d608cc861288e6498b

      SHA512

      b4243bb5a0ff3914314c73c24c78330e04a85a84882894b936d945fd23e7f236bdd319adb01663f5c72f863a1127ee5d31afa5b6538207773cf42799f311cc2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
      Filesize

      68KB

      MD5

      c613d25686c9b7ca4ef5bb1feb2570dc

      SHA1

      122cd867df159fd97dc25d45f166ec37105c6033

      SHA256

      448f7132921ec7a46e944425bb3ef97c1fe2dd20f96b00ec725074e6606bfe3d

      SHA512

      d7be9bf9ceca0cf5ab2f3c1d087bd79c1b52f3c323756421c9e7caad8f7a072b0a575d498e9c1fcbcc2edc7397314d5e19f83220a812d69891a9032a69096d5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      1KB

      MD5

      2a56aae77749cdb69ab7cfe34bd2cf12

      SHA1

      0c9aa944936873870e96aed282af6f6ecd7afc13

      SHA256

      1439be4496e63ada5bf2985587c123fbe67fc0db7218cad1660ea46a85980907

      SHA512

      be6b1e18b72dfd0dfbe8b01436b79d53338d370c69a4858c848f1baa21003dc3db6c939e42088488d3bc1a243f62185301f36932c871f53e128c5f79216aed7c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      1KB

      MD5

      fdd720b1065049bdc79eca7ee7926d2b

      SHA1

      ee31e12276aabb2992c63b947533cbaec230c7c6

      SHA256

      27f5d54008269fcf97def8b2ed41db408039d32c906873465064e5960bfb0431

      SHA512

      335c6d0c0e361a0445044867bf47b74ec8f8e32868d22d14ff47f2bb790cca80cd44ab9ab19f6f329df495c78ce6f3f27342de88a18e67405078eeb33a76e380

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      3KB

      MD5

      99226fb61e17ba766ee4d61cb6d4bcfa

      SHA1

      04e2e06c261d80ce0b44507ecd80385d40072b53

      SHA256

      5630ca73e1a12a77cc6447df2bb084323d89fe0247f317a9c3b7bd719890ee79

      SHA512

      8f902d37a8b667f35698f9fa4655444848555e990b6ab111f4032b28ec5126bc184713c9b9254032d1b0b2daa9e893d0c16d527d56dec1a827d0cd37c2ac114d

      Download Submit

    • memory/1436-78-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-83-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-43-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-47-0x00000000075C0000-0x00000000075D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-48-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-49-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-50-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-51-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-52-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-57-0x0000000007820000-0x0000000007830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-58-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-61-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-60-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-59-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-63-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-64-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-65-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-66-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-69-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-68-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-67-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-71-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-72-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-73-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-74-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-75-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-76-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-46-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-79-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-80-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-45-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-81-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-92-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-84-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-86-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-82-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-87-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-88-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-89-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-91-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-85-0x0000000007820000-0x0000000007830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-95-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-96-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-94-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-93-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-90-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-97-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-99-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-100-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-101-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-103-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-102-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-106-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-107-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-108-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-109-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-111-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-113-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-112-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-114-0x0000000007820000-0x0000000007830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-115-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-116-0x00000000053A0000-0x00000000053B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-44-0x0000000003450000-0x0000000003460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1436-117-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

      Filesize

      64KB

      Download