4e13b48c5b7a1fcc4c995af1022723fd6e0cf2935f69c234f261e76230955d6c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sATURN(1).mp4
Size

40KB
MD5

491a38f1876a08496b3fb8992684fb97
SHA1

557a44b3116903ca11fa19837c1474a4ea11c230
SHA256

4e13b48c5b7a1fcc4c995af1022723fd6e0cf2935f69c234f261e76230955d6c
SHA512

6d72d380e0afb598fa97214efc833f4c9e94becc154c16e51b923b75cc1e7c2c936b53a04af9c10f7686dea5652f8577b2f72ac502006a56942d6143fc49416d
SSDEEP

768:8XITqAuBxBqwR5Gn7nDSrZuCTh15VkNC6CawKR:8XIeAuHBqwR4n7ncQC1/VkEawQ

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-587429654-1855694383-2268796072-1000\{7F869259-5EF5-4440-B95A-F53F3F7121A8}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4600	unregmp2.exe
Token: SeCreatePagefilePrivilege	4600	unregmp2.exe
Token: SeShutdownPrivilege	1672	wmplayer.exe
Token: SeCreatePagefilePrivilege	1672	wmplayer.exe
Token: SeShutdownPrivilege	1672	wmplayer.exe
Token: SeCreatePagefilePrivilege	1672	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1672	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3760	1672	wmplayer.exe	83
PID 1672 wrote to memory of 3760	1672	wmplayer.exe	83
PID 1672 wrote to memory of 3760	1672	wmplayer.exe	83
PID 3760 wrote to memory of 4600	3760	unregmp2.exe	84
PID 3760 wrote to memory of 4600	3760	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\sATURN(1).mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
063793e4ba784832026ec8bc3528f7f1

SHA1
687d03823d7ab8954826f753a645426cff3c5db4

SHA256
cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

SHA512
225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
841fb8675a516f6a73f830f9c9194488

SHA1
e173324842cddb4be56aa793684ffe4a233b2f38

SHA256
f60efe5ca0dd9bb015254e87080dc82d2a7d62d7173446a7f251a95a1866c958

SHA512
929a4d370e75b22ac2d86f43d868807dbd96ba9c4f61df5cdc9cfc33f8c2e3b1ff47abe9c54abeb41aed31ee16f6a91f3e1090dbaa2901019f29e00c6386f295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
81ba99a9a82e6ae3ea2d8efd973be1c6

SHA1
9cbdac6a330d6e2473b66959da33a06dd78a6bf2

SHA256
515800de061b4ac7e6b08ab6e245e7de0360ee55a344cff0a5792f78b568fbe4

SHA512
321c06a360f864bf7803000a335ec793e8b930969f8063add18a61a5604bfb9014e360726f495ddaa0273923eb19f0e350e81ade1995fa75963d9deb5b1f0943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
72bc208ab192f5d66a93d96fc2693039

SHA1
b4286b6d23e5acd0a555948d08aae81346f4753b

SHA256
369bf010e329470415088c6c54631adb01b6d2eace3d0220a70f8fa405a10917

SHA512
a34fa9c72bb3839ca70c1d22cecb572e8ddfd202a6d03112520cb2f8fcc8021a99995857754e6402e0dbb82a9d4db514cb2fbb604884a33036b44b31857d13b1

Download Submit
memory/1672-27-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-30-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-29-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-28-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-34-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-37-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-36-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-35-0x00000000069D0000-0x00000000069E0000-memory.dmp

Filesize
64KB

Download
memory/1672-33-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-52-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1672-53-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-54-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-55-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-56-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-57-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-58-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-60-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-59-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-63-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-62-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-61-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-64-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-65-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-66-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-68-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-69-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-67-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-70-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-71-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-72-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-73-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-76-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-75-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-74-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-77-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1672-78-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-79-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-80-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-81-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-83-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-82-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-85-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-88-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-87-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-86-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-84-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-89-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-91-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-94-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-93-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-92-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-90-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-95-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-96-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-97-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-98-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-99-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-100-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-101-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1672-103-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-105-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download
memory/1672-104-0x0000000009130000-0x0000000009140000-memory.dmp

Filesize
64KB

Download
memory/1672-106-0x0000000008F00000-0x0000000008F10000-memory.dmp

Filesize
64KB

Download