Analysis
-
max time kernel
50s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
Teddybears Sthlm, Mad Cobra - Cobrastyle (Video).mp4
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Teddybears Sthlm, Mad Cobra - Cobrastyle (Video).mp4
Resource
win10v2004-20240802-en
General
-
Target
Teddybears Sthlm, Mad Cobra - Cobrastyle (Video).mp4
-
Size
10.8MB
-
MD5
4be2f4f6a74d703b5a774f0f26a6c532
-
SHA1
dae63049684e19c4c23184a355345f3c09412544
-
SHA256
cea8a0e506198d7e86fce66da8447e711a4d80a26ac056301c6fb8b16a457d9d
-
SHA512
5508aa8cb4a3e136080927b55edd81423d48fdfdbac052ec30e4ed44f5a65b38712ee6ff09035a5ad0c50b8fb1c913096f37a2e772e5eb3b4243050387c1c6c2
-
SSDEEP
196608:2byXahLyri4u4ejoycOQLVj82xBMDNdptIZCkFq0CpnkDTewoDVMgYf1:2iahLyilLcOIBEhdrMCSq0ckvewXBf1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3176 1952 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{A5199BD7-5CE8-4E8C-B8B1-D5244DB077CE} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3140 unregmp2.exe Token: SeCreatePagefilePrivilege 3140 unregmp2.exe Token: SeShutdownPrivilege 1952 wmplayer.exe Token: SeCreatePagefilePrivilege 1952 wmplayer.exe Token: 33 2776 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2776 AUDIODG.EXE Token: SeShutdownPrivilege 1952 wmplayer.exe Token: SeCreatePagefilePrivilege 1952 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1952 wrote to memory of 3356 1952 wmplayer.exe 84 PID 1952 wrote to memory of 3356 1952 wmplayer.exe 84 PID 1952 wrote to memory of 3356 1952 wmplayer.exe 84 PID 3356 wrote to memory of 3140 3356 unregmp2.exe 85 PID 3356 wrote to memory of 3140 3356 unregmp2.exe 85
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Teddybears Sthlm, Mad Cobra - Cobrastyle (Video).mp4"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 22682⤵
- Program crash
PID:3176
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:3672
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x3c41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1952 -ip 19521⤵PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD54cc3e444ea558c68aab45465fa7c251f
SHA1b38d0e0df628e157167eb9975f508730c53b2507
SHA25671e5a0fd7b80bb0cc4800bd349a45ae65e8782597c968a63feb674bc53d88ff8
SHA512c31a0f9a0e36d73d6d6b8bdfe0ee74c2c1f59f9ce4892f6376502cd23f88c76a2a98184759f044c6841d7440bf7dd9fe52c28e674c5d101ab6844d93a86ad85e
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5fb456d2dba92c5a59486bbdc9eddebb6
SHA1a0dcd9bc49414164aff72e4fde329b72a25407ad
SHA2566ff0052b580e2c9ba8de672e3b3ec19a6390bce43328f775616838c1f232578c
SHA512fc90f6b5273dd50bdfd416ee5184a13cfe2bc9626722d233ad490693a0b7cb58cf0916d276ff198d56197efe91a6ec58b8a43a7d37df5abc826b8fb2fff15b39
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5ddc71c88942419fdc6b447eef754513f
SHA12f459ce8c010ce000cc37d3339912d2951208835
SHA256b157d35b80aead4209f8acce9f2873f1abfdafdb8e644a437409491c32c8d2c1
SHA51294c2b693bfd9cdb482d1a5c88a416cc6e0d2219447fac121b2c97abc3dc1197608d2f8701ad9b13a51ab410b7a4eba167efc73298bdd9c66cf02a99d51360539
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5249e33a840927953ceee3b566e578e30
SHA1371623d0562ab4622b641a2cabab00b4b3c67bd2
SHA256dffefbf152b514182ba9d398ef9f5883b7f9c11b7d00275703e65ed43d55343d
SHA512adb18e4f3afbbcacff4d7fc535048ae577efb3fb63f644c4b1dd3660f432cc0a4d797f5b574472bbfbefaefa1417095155055e9d6d8983f379cd70fbb0ed2dec