11879aaf810fdacf73f694015e4b75ab1c68be8eb372b76f1c03d8b21d0dc1b7

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1v1.lol_Subz.rar
Size

257KB
MD5

646c0bcce5a1cbba02e12555e4ba0c3f
SHA1

406d1e749f77b331c0c5cbc4977002c89704dd8b
SHA256

11879aaf810fdacf73f694015e4b75ab1c68be8eb372b76f1c03d8b21d0dc1b7
SHA512

16953b0c223f258e8d4e00628d3f018a665eab36708092cc8a5dfbdc5ec821de2d719f04489ff595459e9c50cb3dda66ab4bdb69eab570ef88c1205c12b52012
SSDEEP

6144:wi8zD7uZ30sTaWbUBHTWWapGp3RdVJaEgLU1XG:sH6Z30sTaWQBzEMzdVNgLU12

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3864	wmplayer.exe
Token: SeCreatePagefilePrivilege	3864	wmplayer.exe
Token: SeShutdownPrivilege	3936	unregmp2.exe
Token: SeCreatePagefilePrivilege	3936	unregmp2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3864	wmplayer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3312	OpenWith.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2332	3864	wmplayer.exe	100
PID 3864 wrote to memory of 2332	3864	wmplayer.exe	100
PID 3864 wrote to memory of 2332	3864	wmplayer.exe	100
PID 2332 wrote to memory of 3936	2332	unregmp2.exe	101
PID 2332 wrote to memory of 3936	2332	unregmp2.exe	101

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1v1.lol_Subz.rar
1⤵
- Modifies registry class
PID:4048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
0603a61008784c4c91f013b5f6f82d4b

SHA1
2d1cbb4390b0c0c33e52dcdcd693933d3e53b35a

SHA256
76625ebca84f3def7b0889b2839314c5497a2fa01199e14ba4e0fb97c97d73be

SHA512
0621c99593ae3aadfe0315d28e4e7de05af8039bf0a4ec3e261fbf91b6b1f79ec6495d5f14a5c8b648c88ddfb14b8d9696253ed4845973bbe51d5f12dc167895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
168c8af3d02fa699ff638872465ef446

SHA1
7fa0748bf45d2d1fafef520d55d4924efa1ca8b4

SHA256
a98f0ce222c6d249142699ecae8ce0abdcf941a475e4db579efa0a2b93487c00

SHA512
30510ac36a8d6482ae2a1524b9bc6ece608aea9ddfe395501057547bb1b6a575928af322558d692d837bf7a38b501d8227794f08aff4ab46287171a19aa2adc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
4d24f750cf6b58cac359c7fec9c21c5d

SHA1
47b8e2835704316428c01167af25e560994ad79e

SHA256
1ec1a24b15830f4479147af4a12cdadab65ea28d5c307b36c9356c32bf68efb8

SHA512
b7f91d4970f42e6e14553d1bdb85570d6f8780972623c473f871ea8c80e138a118a484b7c310f01d5e308d2f511cd0e0765f7c9a224c3e35b64229ea8d24942b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
522659961c1f143f86e7e18f8d8c780e

SHA1
fceee7e45c333c89682a9d801fc3bc4aee38c4e5

SHA256
c1a6413da5b16e0540752452747b025c0e3c97788ec01df66fc6d0d4809a9531

SHA512
738d2396366e4fe80a847041245062989dfe6031fd7086c7153c07722f289f7aaf13dc8397ef46dc27d4273003121ccdd3b32a42c730eec7c56af238b8e8a148

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
f669f0f7b1492d5421b2672a30a69d40

SHA1
eb37ada132f707632e578fccaf62d027ea9ba224

SHA256
aab9b57b6b66eaddf6c863bdd3802727a71892106d69c31d60246bfc3ed0b357

SHA512
6b40a3c3731a203182360869efa2c0626f4d1c8c6bee12df3078166e04f12c8d39704775aa7712304632949a1283d50feb391e89feb765138420b5f6566ecc91

Download Submit
memory/3864-74-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-109-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-36-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-35-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-34-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-39-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-40-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-51-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-56-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-55-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-79-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-53-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-52-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-58-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-57-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-60-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/3864-37-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-63-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-64-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-65-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-66-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-67-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-68-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-69-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-70-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-71-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-72-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-73-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-33-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-75-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-111-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-38-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-54-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-77-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-80-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-81-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-82-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-83-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-85-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-88-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/3864-87-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-86-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-90-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-92-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-91-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-93-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-95-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-94-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-96-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-98-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-100-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-99-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-97-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/3864-102-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-103-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-107-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-106-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-105-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-104-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-78-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-110-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-76-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-112-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download
memory/3864-114-0x0000000009B60000-0x0000000009B70000-memory.dmp

Filesize
64KB

Download