Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
VID_20230808_005209_707_2.mp4
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
VID_20230808_005209_707_2.mp4
Resource
win10v2004-20240704-en
General
-
Target
VID_20230808_005209_707_2.mp4
-
Size
6.2MB
-
MD5
31dd8769943503916a9b4552b65892ca
-
SHA1
3fb4e07ac1ad780d130415668915ac085b852a34
-
SHA256
00963755bfb6e81ca083ecbde84207ac010d418cdedce3cf46931e816614b08c
-
SHA512
587b3baaaefcb91bbbf8925792936f9b1e061dc59f497b0cdd022571a22b0af660fad1c54a5f852def89e5334b954ce01b4affdf8f31be1ed16f28b2cf82b05d
-
SSDEEP
196608:iMMjz1aHqZgZoWHrSQb97P2wwmcnK3Ii7:iR/1SegZoWmQB7TcK3Ii7
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771719357-2485960699-3367710044-1000\{44222C09-47AB-483A-857D-22BCE1768B24} wmplayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 4900 wmplayer.exe Token: SeCreatePagefilePrivilege 4900 wmplayer.exe Token: SeShutdownPrivilege 2840 unregmp2.exe Token: SeCreatePagefilePrivilege 2840 unregmp2.exe Token: 33 3876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3876 AUDIODG.EXE Token: SeShutdownPrivilege 4900 wmplayer.exe Token: SeCreatePagefilePrivilege 4900 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4900 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2716 4900 wmplayer.exe 84 PID 4900 wrote to memory of 2716 4900 wmplayer.exe 84 PID 4900 wrote to memory of 2716 4900 wmplayer.exe 84 PID 2716 wrote to memory of 2840 2716 unregmp2.exe 85 PID 2716 wrote to memory of 2840 2716 unregmp2.exe 85
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\VID_20230808_005209_707_2.mp4"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:3660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x43c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5a082df3997336ef6d333da0345f06b77
SHA153dfed1c3b30480eed51250ed5a5275b475a4367
SHA256405cd5674dbde8b414e430c41aff7eb4d92406a7f860d6df2f3dc56571d4ce53
SHA512f888cadd01e03c9c3235361225cbe213c96723ae53dfe358ebbdb6a5ad718baf09ad3c67d5ab93d93096c2cfcbd3359a7d31febb3f496a5647b9cb279cebb005
-
Filesize
68KB
MD5b3e5414f9e67aa2ff82073772c26b4d7
SHA18716fbff89e41ff2cfef5850f18dbcbee6c5ffff
SHA25671cf31951a5f46541d3a34026d51f7662b2f42bbc43cd35f2ed5a946bc742376
SHA5120130da0dc2bdde55eb28f8cbdc1ce7322dab1d26dbcdbe63c1fcc4ac9df0d94efc1587f73bbb548734fb485501c7a0fa5032b683ea752804889d6bfbae7da1a9
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5d51376addcf3754903e65feb9ede6453
SHA1b48fc517a2a8a7443ea0dd7a8d012b777eaf9e76
SHA2560ec6074f0f0e67491a39e5adbc0dd61e78b625cd9445938ced919255a4bcdee5
SHA51214383910318550ee354c7a6734a0000f807b45eee8c8653e6ce0f976aca3c9b0d6f50647f34944e63bdc4c06baf8e5e2e186378489e613cc0bb26a2572c434eb