34e141c88f20dffe25bf118a427415ce55cbc123848a2f6d2d5ccfe390a746ec

Analysis

max time kernel
272s
max time network
277s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
23-07-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave/CrackedWave/bin/Background.mp4
Size

4.6MB
MD5

9782180eb68f73030fe24ef6a1735932
SHA1

589827fe098ba048c9f871a28db8eae3e3537ff4
SHA256

3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7
SHA512

dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1
SSDEEP

98304:xs/6Ldccul3Wn48btjNEkPSFTaIwJ0Mt6KNY:xs/Gul3EvEmFItMkb

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-95457810-830748662-4054918673-1000\{40023283-3A83-47E2-886D-86BA203E6C1B}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2320	wmplayer.exe
Token: SeCreatePagefilePrivilege	2320	wmplayer.exe
Token: SeShutdownPrivilege	3108	unregmp2.exe
Token: SeCreatePagefilePrivilege	3108	unregmp2.exe
Token: 33	2124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2124	AUDIODG.EXE
Token: SeShutdownPrivilege	2320	wmplayer.exe
Token: SeCreatePagefilePrivilege	2320	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 248	2320	wmplayer.exe	78
PID 2320 wrote to memory of 248	2320	wmplayer.exe	78
PID 2320 wrote to memory of 248	2320	wmplayer.exe	78
PID 248 wrote to memory of 3108	248	unregmp2.exe	79
PID 248 wrote to memory of 3108	248	unregmp2.exe	79

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\CrackedWave\bin\Background.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:248
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
19d78b1eae63fd95e33c36ae0cad7aa8

SHA1
52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

SHA256
50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

SHA512
34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
7bae5fdbc1fd99a9d516a06ed23cea3b

SHA1
9cf233e282fc3b582d880a315eb843710a8c8325

SHA256
51a59b6cedbeff5305dd99101a41d5214526f7f088c664ec62b9eb52d6eaefce

SHA512
a1b37f8f3af7ed48f41d8a2bd7d049555a78cea82e3353ebc3f653d5630f5d81ad94877646e803f3aac999978e6ac439592c937afcf8b908078bc7cc8984fed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
eb4632227b656d9d720b142ba65fb33f

SHA1
048c1e15b666d2a11f68f7795421367604ace212

SHA256
935f1dbf9aaaf84434c8623a42c0bd98a51fa40787a42d840ca5254e7773b381

SHA512
6f1cca362f49d2fb27b51fbd6e666b6a7ca73c761a7bd3340d4cdc70610aa9e85feea91ce812fa03245ed0ae8c7465842561640d570d3248f55343a931a8927a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
25709dd653d43ba127d78a6ebf20f11e

SHA1
4e0029d3831c942288b071567caf3628a9b68d80

SHA256
f29b2ce52c7d68afbdf4b93d196f1b4530eace7248052a8b8f47aa8c66895884

SHA512
8ef12b7b84e58346e211481e17913b109acebe7d364cd1a68d91379b53a80aff965fbd28a3bb3be166a245b3363ffa20beeba21a89d7ca1277c71295eea08ed1

Download Submit
memory/2320-33-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-36-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-35-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-34-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-37-0x0000000006CE0000-0x0000000006CF0000-memory.dmp

Filesize
64KB

Download
memory/2320-41-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-40-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2320-39-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-38-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-42-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-50-0x0000000006B30000-0x0000000006B40000-memory.dmp

Filesize
64KB

Download
memory/2320-54-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-55-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-56-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-57-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-58-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-59-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-61-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-60-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-62-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-64-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-63-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-65-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-66-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-68-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-69-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-70-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-67-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-71-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-73-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-72-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-74-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-76-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-78-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-77-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-79-0x0000000006B30000-0x0000000006B40000-memory.dmp

Filesize
64KB

Download
memory/2320-80-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-90-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-89-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-88-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-87-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-86-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-85-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-84-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-83-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-82-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-81-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-91-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-93-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-94-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-95-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-96-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-92-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-97-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-99-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-98-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-100-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-104-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-103-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download
memory/2320-102-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-105-0x0000000006B30000-0x0000000006B40000-memory.dmp

Filesize
64KB

Download
memory/2320-106-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-107-0x0000000006B90000-0x0000000006BA0000-memory.dmp

Filesize
64KB

Download
memory/2320-108-0x0000000006C00000-0x0000000006C10000-memory.dmp

Filesize
64KB

Download