Analysis
-
max time kernel
262s -
max time network
264s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 13:47
Errors
General
-
Target
lv_7382479526946671888_20240703122622.mp4
-
Size
1.6MB
-
MD5
3cf22603b103b8a578f48e29c1a39483
-
SHA1
7e464bdcb8da0b7f3d17b379356edec09cc4a593
-
SHA256
7fa597b72892b233159100f39a6562cc62eff47b46745771fc6062691ff1253f
-
SHA512
cc0d2f1bea1312b23d583134cb0a53c2161457ba9cd4a5d3c0928ce209e3b2d0178204586371935a030a3585ccec751fb7ebc21f856466e456df6dd57a4f9ba3
-
SSDEEP
24576:WDTZYiiDxG8pvayIaFEFZOYplXjseAMEs55QOONEQsZqXps+VK1J230:STZpi/pvMOYDAel5QFOyG6eJ2E
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\lv_7382479526946671888_20240703122622.mp4"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x33c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1a7d61ech1d9ch4f8fhafebh024eb07be45d1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa325e46f8,0x7ffa325e4708,0x7ffa325e47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14768041554603688495,17936374757722195671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14768041554603688495,17936374757722195671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14768041554603688495,17936374757722195671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3977055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD5200dec43232550b364235a89b3b70020
SHA13403843b28deb2e6a01518081cb1b4677a38cc63
SHA256dec3787e16c58e79028ea8469e27ac8b11bc54b094fa17d59cc83a538c215651
SHA512a5fa79ff94dd9bef5125ca365310f27d865beb9d73351aeac6d63b1dcad5c582c96375817186c063866c1b0c606df65317c6df707b2cd72c3199d93a9501d4af
-
Filesize
749B
MD554c9d4d541d88f72a538fb0edf0d3caa
SHA162c8a0b0a494e3cffac5dc4ec25203b0db899a9b
SHA256070188e10970a3688eaa1066a08a0d6595b8cdea8d6a0742618e4d6abc527791
SHA51216a562111668a349439b5fea0bd08fdb38809c5e5ef45ef73245515f3466f95fa1231b9d73330553d541c8043ac614b9dc46519feda089dd89cdb7224fe23838
-
Filesize
152B
MD506b496d28461d5c01fc81bc2be6a9978
SHA136e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa
SHA256e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507
SHA5126488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91
-
Filesize
5KB
MD5943f777d38507ef3a3da7e99517b950b
SHA1490b2d828bcc506b3695edc60fd54f129b917301
SHA256017e94eae84f2be40c7042f38797558380d9ad9d5fd85b2e2eb4bcd7d059e0ba
SHA512a1c6f2cabff93ed5133251dcce41f70dafdd6a6a1608cc4c23955d0e1f03c502b3f496e37e529480000c27d3246e1b687f69e3c5284709bb4b9f99abbfd866c4
-
Filesize
8KB
MD59faa045d6ad296560744a8dcc4bc07d5
SHA1ec3290a84a9bb1d12215f68addf824ef50a4a4ba
SHA256049823764f92395ae444769a1198641489745486b9fb487ca3f46dde24f8a5d9
SHA512bf7ec54638bc4fdd8bb865da7e5f7f5f8588ed61e7c566d442161205d276d903412da500a962ffc6dbbca4a505becb8b85f9d2399d3386de7721892effe74599
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5eab4298847977db0856574f4ddbcfa9d
SHA13e7ffbdd822def0dd32773f5876a07fcfe7fd797
SHA25630c8ffe958b3dc282f79774f90d3b0db8fbe0878bf68c3d736398702feedadab
SHA5122f345282fbc2a13644b6e472ad54c3bc84d33ccce2127dc2ce2ae3053c7f8145924d919bbf5f8103f856400a42903d4b80f13743a562a2ad6e11caffa65fc6eb
-
Filesize
68KB
MD568842b02e6a35ad9b6976f7d99523722
SHA1c59f930e267a10c491b55c568b0569c65b92ca75
SHA25603b28cc8210708d0a5b0a8142472a9121223ecfda6b5105036fea4db3d08f472
SHA5123234e079748085eb86643170011ba27f6ceb5f051adc8ac9a26cd47354f97c0e5c6ade47e63d6d4c56678744e0fd7c6984281973c3904709dac43d2df4e2b073
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
1KB
MD562a1fbc92a59665ed9cdbe58fa161da0
SHA18bd1b87b8d63ed8ef3aec0f90e0b5044ea3f62bf
SHA25635cc26965bbea7371cff579959373a60430c73aea1f8da6fcabf62e189a58629
SHA5128844bd8e6673532ca486a60ed3130093b28fe8389d6f1de3378450af1c26c24e8c97f4936e9720f3778a4eeb2ff620e3e085bdf1545ee190e0ca056b71471095
-
Filesize
7KB
MD592e8ed25e67f7fe398da1990fa5ef391
SHA17fb8d574d09d86d58e427246173f740c90ee3307
SHA2567c2f424368d31c72d5deb0478f9bd543343e20d884f588fa13a9aab80f119851
SHA512061d87e9162878f71efb147e0cc9ee29d189f56a2820921fe7729f8d18951c1320d3313eb42e8187aa2f5cfcce9a7424dd47c0ba6cb94fba7d0fd357a1c6d89b
-
Filesize
106B
MD50c60bf1dddedd51f4fa4a6df779bf8e2
SHA1dd8f63efdc862eda22d338d0a175f7bc4bc6a185
SHA2566930db6f93e4bf74d816fbb54994a9b3564f48acec1af77da545b037f844c130
SHA512ba3c166bcc25a2a7274eeefc366d7f9b77441a556c68110d23caf60352b6b8062c9983b48f1be4d54fe3920b0839b5b0b3deb0cb716637d35e561618e51e0518
-
Filesize
42B
MD51e7e3b5ad92e8521d011fe413d15ebd8
SHA197d220e1d32a59e4391434496dc0b527999f3040
SHA256185ddf8f725a92e6214e8fe23becc93e629e5b0a308ea3ce14e03ad1d84afbab
SHA512879ed7928310f31d22d6b8706ad169dfca2657ce57d729500012bcc2f1099699e7f7ad08b0290e9cf27667339e504c1eed9bbe0ad8cf30c064d191970ad6a084
-
Filesize
66KB
MD53c08dea20e350ea34f7309e856576428
SHA1d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA5121c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d
-
Filesize
9KB
MD54a9e0d390dc75688e3dbe1d8b5af9efd
SHA1d3f44e6fd90b56c1ea34d295bda84aceb72b7836
SHA2569d1ab11399fef4645a2cbc52a4506ca06224942381c14288e3cd27ca868e9b12
SHA51255d6d1808dc93f0a8dc0571e098bbc2eab0d5389aa2d371c9feee6be13c06832dde6bf390ad76bbaab05a56475eff78d3461236a97f07d07df6b1f15f711b69b
-
Filesize
13KB
MD50c4f33501a7b1dd7d462d1594daac0c7
SHA13f282e161a778c680aeb67880bd4e5d26612c0d6
SHA256a08bf5f6b0a622db57d2cf751627a21491794d8d0513161dd4a999289fca25b5
SHA512298ff08e5f8af5694f2f8c19b27220bd70db336f0949cc382c617a19cc931ae6b678be7e1fc3b9fd798b0af8601794c3406cdd53cdc14ba5349cc095bd93e3c1
-
Filesize
1KB
MD5cd108b4015250d1401e2aa466f08dd39
SHA1c29678e8f3d4236a06bb474b4896829e388397b7
SHA2563597ce72a5a2915829c4b1a4f8d0ffb49e1f5982c67043b60c6c6f6045cadd14
SHA5122cb784ca4769a96461254278ac26d25f11dfcb8052b0a850ab205bdcd44a56f58f3bee4a0edf66b27916b80a7375fee39b1031b4d4837c45d46db94e48845b61
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB