Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 21:06

General

  • Target

    robloxapp-20240613-0023411.mp4

  • Size

    3.1MB

  • MD5

    fb4c6c7337a7442d3bdaf360180d29a0

  • SHA1

    3d5985640a5f69a15ac63863a6f632aeadafe3b1

  • SHA256

    43e3c32bd62bd9eb8796d8ccabcd8e5ecc352b9a7114835c0e45c8631ea85925

  • SHA512

    ae7a777e026d1ab6f74ed110be65d3bc6fa01f5e45c236092cd5aa2a15303f0128a83861786476877ec134d8abf62767a871b455ddbc1201d7af5ef747172014

  • SSDEEP

    49152:h0nBDt8on9j0lQcFybL5tOj8ZyAueN+SLafSU6Z8VrMoKWOwT+gZXU0n:h0BDtD9mQAyHO5AUSLeSeVVT7JLn

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240613-0023411.mp4"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240613-0023411.mp4"
      2⤵
        PID:452
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:2004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

      Filesize

      512KB

      MD5

      6d37c77b1258c734cee5222fe9f54588

      SHA1

      1787bf68ba30bff360f599648e3fa703b05ab9cf

      SHA256

      0bff85979e3b8299ee9f3f89d964e5b16d7c0ab3945ba6396b07295a33cc026d

      SHA512

      04c5338a8f686aee2d43557258dccab9b57e0086c0ff834e8ba693b81b6058467e6c35206000de6ed847fc51fd2e3a2ddbc1b52586f006d0eb429fed097006fd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

      Filesize

      1KB

      MD5

      cce3721cb39a16c5c0cbc147931df600

      SHA1

      2a3c6459bc4f380afc4b19bc88fe13e94fe90367

      SHA256

      2dbad0e4430ec1fa1d10dd025ed3745bdfe4a55e551df12149071d696719d2d1

      SHA512

      f1950092b5aeac57492e5061f1ca05758a140d317271fd1a156e55383ab12a94483f03fd34a0229441782b4a91e20fc863a3feefa3822f748e4692fe8f5ba4c1