e5b9d4ed06904d44d5324374f9a98f4ab2306d7c709e700dddc1f4117a921c76

Resubmissions

02/08/2024, 22:01

240802-1w8cbasbrl 6

Analysis

max time kernel
49s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 22:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

modern house phone sound effect wireless phone ringing sound - Sound laboratory.mp3
Size

257KB
MD5

cfd3a14b64559059350ac46955966f8e
SHA1

d7b84cdef3fc8d34b4553a26ed7606d61475c71d
SHA256

e5b9d4ed06904d44d5324374f9a98f4ab2306d7c709e700dddc1f4117a921c76
SHA512

4a32635460460067594f80e1ec99011c06ab1624db09063303cef1b4d458dd19ede084ea91963ed9a205310238ce8d6187fffc5f8066328200196d17e5daad99
SSDEEP

1536:OAVfLRNALL4j32tFBRECrM4RgJ50pv2F/fyJ205wfKowTaQz+9fUur6Q3QKXtFIw:OIi1AA06Jr59+9fTrj9aqrR+t9RlCA8

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{539871F1-371A-4D98-A921-0AAF6EF40D07}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	unregmp2.exe
Token: SeCreatePagefilePrivilege	1212	unregmp2.exe
Token: SeShutdownPrivilege	2116	wmplayer.exe
Token: SeCreatePagefilePrivilege	2116	wmplayer.exe
Token: 33	4492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4492	AUDIODG.EXE
Token: SeShutdownPrivilege	2116	wmplayer.exe
Token: SeCreatePagefilePrivilege	2116	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1924	2116	wmplayer.exe	90
PID 2116 wrote to memory of 1924	2116	wmplayer.exe	90
PID 2116 wrote to memory of 1924	2116	wmplayer.exe	90
PID 1924 wrote to memory of 1212	1924	unregmp2.exe	91
PID 1924 wrote to memory of 1212	1924	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\modern house phone sound effect wireless phone ringing sound - Sound laboratory.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
8f9d02bae9479f2a814f23d1faf8eebb

SHA1
3d4fc3c349e3cd45d0a860fc69cdc82bedd343f0

SHA256
ecaab45983314425373e02ec555078bb000134570b7e6df9c8fccdf84165eecc

SHA512
28caf1eb288dd8cdf453b46b8409ede41c4fd5b9a827bde9aa1a64e5a73211483556e6a604df75a978394870d1a5fd4126353963a19a674d39db0e0af1f29d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
e8ab4aaadc3b7da7e54386b05488f002

SHA1
ebffd14006527b07e2970bbf851217f13632bff4

SHA256
09190c2be1721f3cd058f13d4ad42b0f4732998be4978ddd1846ff92ac6bccff

SHA512
c806f2b5dd12b3dd9759c29fcab95e7a70ed6fcebc9c8309b9513fd3972e68642dc31d69351fb829d788d6a2da79734d6eb298c3c43c3e9cbcbb44762ff7f762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
1548251c86a23d1e7d2fbe9dee804a17

SHA1
5399667bcd0e8937a60b2cb0548e6b3c71067d9b

SHA256
7b8e31ca34a4cdae22fd0f5bb3c0bfe5741f4f6a8a4a3f211b061d73216b4510

SHA512
0de7522cd3dae8be52cb9548104d6eef66b53bd0d75130d42d87d7db3924dc64706d471ab4eaadf6ace789c8d29001783329d1f2602cf5f78e83853341857a6c

Download Submit
memory/2116-28-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-27-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-30-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-29-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-32-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-31-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2116-36-0x0000000008600000-0x0000000008610000-memory.dmp

Filesize
64KB

Download
memory/2116-37-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-38-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-39-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-40-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-42-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-43-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-45-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-44-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-48-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-47-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-46-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-50-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-51-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-52-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-53-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-55-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-54-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-57-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-58-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-59-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-60-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-61-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-63-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-64-0x0000000008600000-0x0000000008610000-memory.dmp

Filesize
64KB

Download
memory/2116-62-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-66-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-67-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-68-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-69-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-70-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-71-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-74-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-76-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-75-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-73-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-72-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-79-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-80-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-84-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-83-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-82-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-81-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-86-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-87-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-88-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-89-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-93-0x0000000008600000-0x0000000008610000-memory.dmp

Filesize
64KB

Download
memory/2116-92-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-91-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-94-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-90-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-95-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download
memory/2116-96-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-97-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-99-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-98-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2116-100-0x0000000008660000-0x0000000008670000-memory.dmp

Filesize
64KB

Download