34e141c88f20dffe25bf118a427415ce55cbc123848a2f6d2d5ccfe390a746ec

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave/CrackedWave/bin/Background.mp4
Size

4.6MB
MD5

9782180eb68f73030fe24ef6a1735932
SHA1

589827fe098ba048c9f871a28db8eae3e3537ff4
SHA256

3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7
SHA512

dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1
SSDEEP

98304:xs/6Ldccul3Wn48btjNEkPSFTaIwJ0Mt6KNY:xs/Gul3EvEmFItMkb

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{740305D5-E386-4C14-8F40-5BA6828C7AE4}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	764	unregmp2.exe
Token: SeCreatePagefilePrivilege	764	unregmp2.exe
Token: SeShutdownPrivilege	1804	wmplayer.exe
Token: SeCreatePagefilePrivilege	1804	wmplayer.exe
Token: 33	4124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4124	AUDIODG.EXE
Token: SeShutdownPrivilege	1804	wmplayer.exe
Token: SeCreatePagefilePrivilege	1804	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1804	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 5056	1804	wmplayer.exe	85
PID 1804 wrote to memory of 5056	1804	wmplayer.exe	85
PID 1804 wrote to memory of 5056	1804	wmplayer.exe	85
PID 5056 wrote to memory of 764	5056	unregmp2.exe	86
PID 5056 wrote to memory of 764	5056	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\CrackedWave\bin\Background.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c10bacb0fccb294ccfbf6858a27fc252

SHA1
e722e420e37390bb7639f723b2801a0425371d34

SHA256
e46f7b56a40c891c8b76c3a81c2e7e5d59efd2d96d99afc39f654fd32992abf9

SHA512
c9a66ea09070ec8c9b1ec6b4308458050a3fe2342140c55e9bc81edb3380022ae9b47a7659c10d04e24674a7bf365b0b4fd0993f3b5c2cffe93e105e11aa845e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
edfc2abc9dc39dabc35caf0c0713324e

SHA1
a21f6051c3f74d69172a28ed75d2ea1c5f68e254

SHA256
8d3ccb0954416e33765ecba1d28a23cde0b5f5c203b65f8f26dc64f35aa8fa40

SHA512
33e87a8685f0064f3de205420d63a16bc4fdd530fa4fd0d65640c217a3c816de1ff74dea0ad5a1d3396aa6ff73bf9a92324ae19b40d49883f358f90f2091b66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
b7d2211ab53ab3ccd34473bded2873fb

SHA1
f18ddd4d48a95b6649b071b5aca9dc120ead78e4

SHA256
8696ee304eec5bd0da96aaba4e2aa3266ccc7297be8bc31514c2cca33f7c9fdf

SHA512
142e8d7b2ff234ffd46a79eef8e9bd1b3c50ffff51460cbe9dbaea9cd4b1c0c58cff763ffd7f6b9d45bcda4c21cdf0c21f618d822fcc1eee0bc0f9e1817d9730

Download Submit
memory/1804-27-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-28-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-30-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-29-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-33-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/1804-34-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-37-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-36-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1804-35-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-38-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-51-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1804-54-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-55-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-56-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-57-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-58-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-59-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-60-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-61-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-62-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-64-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-63-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-65-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-70-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-69-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-68-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-67-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-66-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-72-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-73-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-74-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-75-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-77-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-78-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-79-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1804-76-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-80-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-81-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-82-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-83-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-85-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-87-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-90-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-89-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-88-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-86-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-84-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-91-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-93-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-94-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-92-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-96-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-95-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-97-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-99-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-98-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-100-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-101-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-103-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-104-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1804-102-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-105-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/1804-107-0x0000000009D40000-0x0000000009D50000-memory.dmp

Filesize
64KB

Download
memory/1804-106-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download