37812f943447be391ea65aa4af08b9f46d86a1a6140139226726f45ce577ef91

Analysis

max time kernel
138s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MICKY_MOUSE.mov
Size

860KB
MD5

6f3b05d7af8f71184ec55fb8afdc8710
SHA1

8a4d83e9d5fcfabf98704ec61ad2fecdd6b3d252
SHA256

37812f943447be391ea65aa4af08b9f46d86a1a6140139226726f45ce577ef91
SHA512

4488d3acc03f87b91b16c231f62128e4bc9e6b34d712039c9b04b8a85d99b53a5b42cb311049f75256c9bcfb425d6cad8b67dfe70fb647be3b8c952ad0166f8e
SSDEEP

24576:LcTfEkXGgi4ZoVzKv6v2WYob0sFObp0fN0GyM:AgUBf6v2cZ8Q0GyM

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{2F94C3CC-920D-4C1E-BE75-93FF0A6DB8B4}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	unregmp2.exe
Token: SeCreatePagefilePrivilege	1892	unregmp2.exe
Token: SeShutdownPrivilege	3952	wmplayer.exe
Token: SeCreatePagefilePrivilege	3952	wmplayer.exe
Token: 33	364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	364	AUDIODG.EXE
Token: SeShutdownPrivilege	3952	wmplayer.exe
Token: SeCreatePagefilePrivilege	3952	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3952	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 212	3952	wmplayer.exe	85
PID 3952 wrote to memory of 212	3952	wmplayer.exe	85
PID 3952 wrote to memory of 212	3952	wmplayer.exe	85
PID 212 wrote to memory of 1892	212	unregmp2.exe	86
PID 212 wrote to memory of 1892	212	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\MICKY_MOUSE.mov"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c8d1dbaa6803c86527fe7f27bdb2856e

SHA1
a6f11db1e32e27c7fd482433e23a48dc7a719f9d

SHA256
64c24549996df0e9339e3c6c01eaa9c7e4f8857b072baf35f415e565b38d1aa0

SHA512
7b5c4fac26fcc6902a3f0a945613b9ba9e642697719892187448439d8d2f556ce8635471e7a726527caf65e9073f520722ef0438ec0ab67a9d065c05ee551eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
42f7740199933d9e96dea38be599cb4f

SHA1
84ff671ab93b7d3ad36bc05fa17942854b1640ae

SHA256
e1e3dc241e3967b3c9c43cd7d6aa51d17a08885aaf938e1d99f38eec56e9f35c

SHA512
b9f77920bacbd1d3d5d7f1e77729b51d8a2e7b798e15b53276ae4b6895f5f6d9f9a5a8aeca09ff6ba813f985f704e4aaa4714cc8b2f7a95add48c1795aad21df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
beaacbd88297f7c6664c9a1f255f2f3a

SHA1
23230425cfdf2793431a67c86cdc8752ea2e27ca

SHA256
90ec5335dea71fd1028cbe479bede1898947ef756d5b988694f39aa5e98abca1

SHA512
8925a2f242756bef287c4f6b41a93049117cfc27c0683178377eabee4d427770e89d5a9b3bedfd4ea41ec7558818d5906ae7caeed93362deea9092067d9c5819

Download Submit
memory/3952-39-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-42-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-41-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-40-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-43-0x0000000006EF0000-0x0000000006F00000-memory.dmp

Filesize
64KB

Download
memory/3952-44-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-45-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-47-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-46-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/3952-48-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-52-0x00000000043E0000-0x00000000043F0000-memory.dmp

Filesize
64KB

Download
memory/3952-53-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-54-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-55-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-56-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-57-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-60-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-62-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-64-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-63-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-61-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-59-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-65-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-67-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-66-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-70-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-69-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-68-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-71-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-73-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-72-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-74-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-77-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-76-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-78-0x00000000043E0000-0x00000000043F0000-memory.dmp

Filesize
64KB

Download
memory/3952-75-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-80-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-82-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-83-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-84-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-85-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-86-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-88-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-89-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-87-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-91-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-90-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-92-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-96-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-95-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-97-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-94-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-93-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-98-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-99-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-100-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-103-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-102-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-104-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-105-0x00000000043E0000-0x00000000043F0000-memory.dmp

Filesize
64KB

Download
memory/3952-106-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-101-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/3952-108-0x00000000093E0000-0x00000000093F0000-memory.dmp

Filesize
64KB

Download
memory/3952-107-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download