Overview

overview

8

Static

static

1

oh.mp4

windows10-2004-x64

8

Analysis

  • max time kernel
    69s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oh.mp4

  • Size

    3.6MB

  • MD5

    698ddcaec1edcf1245807627884edf9c

  • SHA1

    c7fcbeaa2aadffaf807c096c51fb14c47003ac20

  • SHA256

    cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

  • SHA512

    a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

  • SSDEEP

    98304:nJVnjOobt/JN1LA5elHc+S4fRp5UvluKY:jbbxn+IHcBEV/F

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops desktop.ini file(s) 8 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\oh.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\oh.mp4"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:1124
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\oh.mp4"
        3⤵
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1204
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:612
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:5064
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4e4 0x508
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    64KB

    MD5

    c374c25875887db7d072033f817b6ce1

    SHA1

    3a6d10268f30e42f973dadf044dba7497e05cdaf

    SHA256

    05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

    SHA512

    6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    be8e37aa86a4c5d12ef68887d37f6b77

    SHA1

    d5e279f0ce7188c527af1a46bc92ad19a75f505b

    SHA256

    3351784002975954d2f90d4a5d3f9c2a943053eb94690263d4cb624ebdacd72e

    SHA512

    ff1a6c7b089bdd6c28d585e437a8c14a35e818524ca03800ef84ba71d0510ebfc7be8e3ed4f966239bcdc732f66a841703d5eb798f9bc88f55ca2621e9ae1798

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    7ddd2687c2767fa9d428a2bc9d661114

    SHA1

    09e06415a88b16c661c8ee1ec49bc8ed609f0f84

    SHA256

    cb2cb1b0bb23bb84607ad557823991cf73e38a36a609a29fb46edc11ffac7ad2

    SHA512

    d39ed86417308e568be166373c7169cf51989a24556d559d5a641006b479697c358339bc914fcce69ea35d2e4e8bae31ccda1ad25a535400af055662d7e89f38

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    ae59afd5fff744630c1f8d5af60cff89

    SHA1

    bfa4d85c7f3d4d5d4e59c8460ad8c04c65efee0f

    SHA256

    6b97c6290cfbf505697ffb0095ba50a925801cd1780590d831eaae67cac6da4a

    SHA512

    16d9e4ced97181c83d198e60cb67104ca08d719aa29d59ab7f873752adf2fd9e7ec8034b40a464cc2c8c497e725a15eb5690f15e7ed6f90aac5b0c223ecc6d96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    95b49317d4c6139b51260fefad853c79

    SHA1

    b69ba89bd3acc81bd3f7501717e085a70d68a33b

    SHA256

    b6b5494201eaffdb2cdfc2bd951ac4f6fc1da62b8c5866c45b6b41392e752041

    SHA512

    04001df7b324f5a1808c77f28bc26c8e44dc6d299642279039e77a20e0cb7a60c6237f3da0dc964f04176401821814479cc0109f87521cc1f1e68803fd28725a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    2KB

    MD5

    6b66c0f10a23c913b6a9d7185eefac90

    SHA1

    404d08a7eea98c8b9116f7b0a9b45b9de04ee3ec

    SHA256

    f8e683a8690d6e1849d73501fc367eea1da55df4721cccfb48acc9996a349510

    SHA512

    5c546c35374d74d18082b69cf5901459e3e1b141709253c516f82b8f56473672b7262b612a371d33df1fb3e3e03f7027bf80e1cd13e38c7481e68b3a33372ffc

    Download Submit

  • memory/1204-48-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-47-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-50-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-49-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-51-0x00000000060C0000-0x00000000060D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-52-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-53-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-55-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-54-0x0000000004080000-0x0000000004090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-56-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-71-0x0000000004060000-0x0000000004070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-72-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-73-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-74-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-75-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-76-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-77-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-79-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-78-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-82-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-81-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-80-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-83-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-85-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-86-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-87-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-88-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-84-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-89-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-90-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-91-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-92-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-94-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-93-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-95-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-96-0x0000000004060000-0x0000000004070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-97-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-99-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-98-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-100-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-101-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-102-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-104-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-107-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-106-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-105-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-103-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-108-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-110-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-109-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-111-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-113-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-112-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-115-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-116-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-114-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-117-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-119-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-120-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-118-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-121-0x0000000004060000-0x0000000004070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-122-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-123-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-124-0x00000000060E0000-0x00000000060F0000-memory.dmp

    Filesize

    64KB

    Download