Overview

overview

6

Static

static

1

8mb.video-...qh.mp4

windows11-21h2-x64

6

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-08-2024 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8mb.video-YV5-ugQKomqh.mp4

  • Size

    5.7MB

  • MD5

    645c6657d4a7077032fab296d06e7312

  • SHA1

    2a59f20ccce669cd06bb4399e6d1c2a79abb12d8

  • SHA256

    e15b8577855715dd85a44839e0c6773eda47e3379cd03130a4d3b85668da4175

  • SHA512

    ad1b80d3454a9e5249f550a5c1ae3ca1aa4f5cb71055583ced705d3f812e37fdee9db1c5835e99d5485e9c8f6b5faebb0598469214586af288a800f2576ca8a3

  • SSDEEP

    98304:qFOpDP8/pyqmbGtsII59yWaw7pEQfHHTu5KKqcQtZi4DNroxflUn4wX3n4Uz8:ZiaGhy8Wp79/HTu5KxXhroY/34Uz8

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\8mb.video-YV5-ugQKomqh.mp4"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1204
      2⤵
      • Program crash
      PID:5024
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4744
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004E4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3192
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1548
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1868 -ip 1868
    1⤵
      PID:880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      256KB

      MD5

      bbb416e94d91b0dfbb49e250efb4e183

      SHA1

      bbf9700fd646ed2de62e7efc230b578e7cb5d414

      SHA256

      82302657180df4c8f2f81df34d3150f263b1a51773fc168b0b639906163d0dd5

      SHA512

      13d07ae391a9429f508a052aa7c6fa39fdc1d18963e2697f7918229dbebcaf937c65fa4209099178a9ca66e8ccb48544f24a073ca24837e65983f1517b054d3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      1024KB

      MD5

      2288e7b70300c4b610b1dcff2a2e1e49

      SHA1

      0d5ee31f21a8c46aac6c4dd357c2400971aa7acb

      SHA256

      dfb91b178b14c5a3bcae0f7ef74a2533e6e071af795a5d14073dee392c6ede94

      SHA512

      948cd3c8ed97fbb63113f9f34dbd8f3680364f6e6e6149efaae4d346104eddf972ddca88c4e8b9d333143c942b758ef960fcc062ece0bd4ca8f51fa8e6e125cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
      Filesize

      498B

      MD5

      90be2701c8112bebc6bd58a7de19846e

      SHA1

      a95be407036982392e2e684fb9ff6602ecad6f1e

      SHA256

      644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

      SHA512

      d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      06f54da138064bcb87a50ea5796be0bc

      SHA1

      149614dcc0cc8a15d12e042639d53d364b692f5a

      SHA256

      fd00cc98658581a6d166ce94e14f68079c4a2948db69e5ac60755ac8c50c1f50

      SHA512

      530073a003f19a93945cc2d663cd395744c98b3d8377ed6fbc237be0b42b7ec23544fe149435e3d5d47b8d385c2a9bd1e2605222bbe2df0d3233edf10550202d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      1KB

      MD5

      891734a8f68d80ac20c95bf92f97c9ad

      SHA1

      47308d2da31a74a17ae9b96675312b90bcdf17c5

      SHA256

      c09c76c2e76e5e2aabb0432a05b77cb385b5093ff3cb9bea6d1ad7c4ab914a13

      SHA512

      f0886d03ce78b82fbf4bcee8d3ba46efe72665bb78554507d66246580ee2b2611b2c8a2d52cf3f43f6b638200d796e90d49c8c2b2b75294dffac8dc870674fba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      3KB

      MD5

      75fca6ad65af471403460d73352b2eed

      SHA1

      81c8fe23b3c9a777cdec6d0ef19d4ac1b3aead6b

      SHA256

      68f99e5abf44c3db01f30fdb26f13bc7b0838c3656cf3072cf0adeb98d5c964e

      SHA512

      bce242f5bc43727f5b5e9930c269d161184afbbbc14c22ee572e28022102ce47ac74b8135fa5bd7f33dd53455ade602ce9221b606b78b5d16b01ca9bf0947017

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
      Filesize

      1KB

      MD5

      f8b38f01e951e3045f8cf12b3c7d65d7

      SHA1

      09eb81bd1de275cc43726287878c892e393b75f7

      SHA256

      738fa8995646a10a9117756f17fdd651df1dfc2cf74bb48c70998e835d778777

      SHA512

      9dbcd27b8d17b9c78cda40434603944ac9d27824e8352ca67b899ffd916c1fae97382a3a5d1f79cbdf14377e92cc08f2b9adbdaf2bcac32ca38024259b129a95

      Download Submit

    • memory/1868-37-0x00000000070B0000-0x00000000070C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-38-0x0000000007290000-0x00000000072A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-41-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-40-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-39-0x0000000007290000-0x00000000072A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-42-0x0000000007290000-0x00000000072A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-35-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-32-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-34-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-55-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1868-36-0x0000000004D70000-0x0000000004D80000-memory.dmp

      Filesize

      64KB

      Download