7d7781830d69ede9ca93155c496eb288721cbce56d0f2a104732cf55c5b2c9e1

Analysis

max time kernel
18s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 17:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

net6.0-windows/Newtonsoft.Json.dll
Size

695KB
MD5

adf3e3eecde20b7c9661e9c47106a14a
SHA1

f3130f7fd4b414b5aec04eb87ed800eb84dd2154
SHA256

22c649f75fce5be7c7ccda8880473b634ef69ecf33f5d1ab8ad892caf47d5a07
SHA512

6a644bfd4544950ed2d39190393b716c8314f551488380ec8bd35b5062aa143342dfd145e92e3b6b81e80285cac108d201b6bbd160cb768dc002c49f4c603c0b
SSDEEP

12288:mFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMW:6zMTMNNd+g5Wk78GBBjgrIQtDF

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
712	1516	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1516	wmplayer.exe
Token: SeCreatePagefilePrivilege	1516	wmplayer.exe
Token: SeShutdownPrivilege	1576	unregmp2.exe
Token: SeCreatePagefilePrivilege	1576	unregmp2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1516	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 780	1516	wmplayer.exe	83
PID 1516 wrote to memory of 780	1516	wmplayer.exe	83
PID 1516 wrote to memory of 780	1516	wmplayer.exe	83
PID 780 wrote to memory of 1576	780	unregmp2.exe	84
PID 780 wrote to memory of 1576	780	unregmp2.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\net6.0-windows\Newtonsoft.Json.dll,#1
1⤵
PID:5112

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1176
  2⤵
  - Program crash
  PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 1516
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
06a09c02e2d203b3caa0c075e687a0c4

SHA1
8d59caa9db8f11e93774fb19392e2192b98dcefb

SHA256
78c6ce168b5c5dcf30951aafdb973ba3cffdeee05ef414f762283f5f19e3e9ef

SHA512
6810c8af4a8db23baab88f3d46af936cb70feaae6637caff20e170c29791d3279d691e0d7e00fea796762f5dc4ca600bf9fdf2c9568367cf2f5cb25c36ed687b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
00cc0e75864e3d9b36860de0e8330225

SHA1
e3d7ac2c710b1c330648f03ecfeb81b0a847f50b

SHA256
52b5c3d8d8a8b91e8c94279791170d22cfae8e961a0d93609b19c1b1c6f64366

SHA512
e6fff66e6a95be8b775172cbf58918a7c4221c2a98f8a5fe51ccc29ad63b8ebc955d1bfc6b3a958a3f032db4a398792ffe252a6b0ed3af2729a89192aebae6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d4e09c63369ec94eb14db268719c364e

SHA1
667f878b0424cf48d87e4067f4d7ff372f7ed64e

SHA256
6abcdae49171d269402a695b9276f5a61cb3e93a2eeccef40a914c8168ed7b42

SHA512
595cb32a85bf99bbeca9362e310a708847fad0ab293b7622689d2cc904ffb248cf2815c1cf318da3f853883599c7883615657afd6ca5dea1ba31ededdb8515d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
e96e4a4c1b4397343771d3882f988734

SHA1
588fe02bac2c2271054fbda7155aa4910c424220

SHA256
1291a7456716ac1585a30e2d7ce4757f3001323d291496ff3bac87ba1c82012c

SHA512
a8c7321ff35cf19e47b4393260507fc866adba9742a6ac3a8ad64a2ea5397c9625bd25608d3379a188dda542dfc489d3bb64d1f6d32da2ae9bcf8ebac179c175

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
fb6063eeb3405739197e49017b1e78c1

SHA1
67bf19922ca151df613a42344775f6c73e42d36f

SHA256
581385fe117587a1adae4988878166ce5977aae916b2601e06fd54b6190c57e9

SHA512
a4bf9543c44db1035682415ab93fc7681001a38de4fce55d1492daa7e4afcbb76d525262d76e72da85886b2c2478029452c28409c976756c103caea3b37440f2

Download Submit