86c8812621c9af04b428b99aeb96627a340c3810d2bdb1053d2fb0357337a99e

Resubmissions

03-08-2024 14:36

240803-ryw8dswelq 10

03-08-2024 14:34

240803-rxs5cawejl 6

03-08-2024 14:30

240803-rvcpkswdkr 6

Analysis

max time kernel
30s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gothymilly76b779.mp4
Size

261KB
MD5

d3d13a4ac1f069c0c305836dca7a79f4
SHA1

9b3fdb93a1e59d3238b110bef6a56ddc4c94c449
SHA256

86c8812621c9af04b428b99aeb96627a340c3810d2bdb1053d2fb0357337a99e
SHA512

f3f8a5814fab743ab4f3f31f800ef66171673dbacbe66722e2a865cc97fc3e59deb2655da10e5ac84826d3fcb2c4ee0d671c7d0179a0b6e3ee850f43b348515f
SSDEEP

6144:lPL62UN2BRLvehowE4wFFrAuROLFgCRofacyfI5IhdgDJkihg8T0t+:d7A2DvehXwb0uRCg7fa9w5KCdV1b

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{9E9B88EA-083A-4A34-A740-DF8AE4291B1B}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1748	wmplayer.exe
Token: SeCreatePagefilePrivilege	1748	wmplayer.exe
Token: SeShutdownPrivilege	376	unregmp2.exe
Token: SeCreatePagefilePrivilege	376	unregmp2.exe
Token: 33	508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	508	AUDIODG.EXE
Token: SeShutdownPrivilege	1748	wmplayer.exe
Token: SeCreatePagefilePrivilege	1748	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1748	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1396	1748	wmplayer.exe	83
PID 1748 wrote to memory of 1396	1748	wmplayer.exe	83
PID 1748 wrote to memory of 1396	1748	wmplayer.exe	83
PID 1396 wrote to memory of 376	1396	unregmp2.exe	84
PID 1396 wrote to memory of 376	1396	unregmp2.exe	84

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\gothymilly76b779.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x374 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
34c428caf0b15a093e777f551a5d802b

SHA1
8160b276505e2cb2ec586e47bfc7aff29ec919f2

SHA256
fd7cf91b63a5ed760f27de1e014f0bdc88b8063bfb88f47bc938e844b5ff5918

SHA512
13c18887b952666dbed01a572f6c16b4b4bc7e8e4c80304a09cd292d64c5dfecc50662da4582b455eb68bf6da2f2c793d2652949befcb8b94da46edb816a7e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
90b013ad174a92cc512229a0bcb5a9e6

SHA1
ecb3ff1dfc26404301d41eef40f48193b4861225

SHA256
4432dea99b8135edd9af66a90a46178bcd738bdde94cc737f62cf98878193522

SHA512
50b774ee427ee764bdf3612ce8677d264e2d40646423cfdbb08024c0f77bf6d2fc5a7be89481fa2e846a819e9f780b9e73d7a83d8f06536575043a5fd7117653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7ebfa857c0cfc0a555876f256f634d8d

SHA1
34490a9e85e4fe460e32cfb4b7ae5a20af729cc1

SHA256
a7c68b418f27b40c69a158eb47139ca863fe11c9727ac0dfffe79dfff721baf8

SHA512
6376f802f5f1cccc38dc6af67a6ac4b3ac19a0a347e7a8ed19390825daf5c3fcfde71e0090eabd78748e8f3b8c980cee469ef61cae68aacef28e6dadbdf099ed

Download Submit
memory/1748-32-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-34-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-33-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-31-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-37-0x00000000077A0000-0x00000000077B0000-memory.dmp

Filesize
64KB

Download
memory/1748-38-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-39-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-41-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-40-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1748-42-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-57-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1748-58-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-59-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-60-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-61-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-62-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-63-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-64-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-65-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-68-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-67-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-66-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-69-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-70-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-71-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-74-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-73-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-72-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-75-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-76-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-77-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-78-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-81-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-80-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-79-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-82-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1748-83-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-85-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-84-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-86-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-88-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-90-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-91-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-93-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-92-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-89-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-87-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-94-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-95-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-96-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-99-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-98-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-97-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-100-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-101-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-103-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-105-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-106-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/1748-104-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-107-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1748-108-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-109-0x0000000009810000-0x0000000009820000-memory.dmp

Filesize
64KB

Download
memory/1748-110-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download