c90cc6b79aef8fb1065396e6975d1492b7eca2eb0aded8e12f7f49cd08c1a413

Analysis

max time kernel
134s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WFDEm1aZ8EgiCE7M.mp4
Size

322KB
MD5

ec6f11ebd753ce588f358c54ec1b0f6e
SHA1

30aec1204b838f72bb758431e659cb659831dcc5
SHA256

c90cc6b79aef8fb1065396e6975d1492b7eca2eb0aded8e12f7f49cd08c1a413
SHA512

5e20f5a24ae223ed4ad9ea1d39a35d4fee9c726f8dd3af080b99e3cccc2216aafb739855c4727f1553a4545f5acec5e4f52725e33605f51b5a7cd7be8798a3e7
SSDEEP

6144:Tu2mrr1duAEx7vl/bURomfOc/KR38nWO4LhNG42WQ9V:TYrrPWxbBHGONmWRG42WsV

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5088	4240	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{B23D5982-CB2F-4D84-A39C-1CEC049240ED}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	wmplayer.exe
Token: SeCreatePagefilePrivilege	4240	wmplayer.exe
Token: SeShutdownPrivilege	4860	unregmp2.exe
Token: SeCreatePagefilePrivilege	4860	unregmp2.exe
Token: 33	4464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4464	AUDIODG.EXE
Token: SeShutdownPrivilege	4240	wmplayer.exe
Token: SeCreatePagefilePrivilege	4240	wmplayer.exe
Token: SeShutdownPrivilege	4240	wmplayer.exe
Token: SeCreatePagefilePrivilege	4240	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4240	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1956	4240	wmplayer.exe	88
PID 4240 wrote to memory of 1956	4240	wmplayer.exe	88
PID 4240 wrote to memory of 1956	4240	wmplayer.exe	88
PID 1956 wrote to memory of 4860	1956	unregmp2.exe	89
PID 1956 wrote to memory of 4860	1956	unregmp2.exe	89

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\WFDEm1aZ8EgiCE7M.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 2348
  2⤵
  - Program crash
  PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4240 -ip 4240
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
85584f229ee7fa19acf8a836e8adb1e5

SHA1
3c9643d38d7ab1abc9cc694598715c6cc314ef9e

SHA256
61cf3e54a08067742fb4dfbb8dacef67bbee3aa8d46e441def945d5061651b42

SHA512
2add08a758265876148a26f3fb9f82b4ebcac90c84723c8a257e68f6030342dd55afb5cb8fd2265cacf885c19722f4936371de1f295f3c8e343dd3e121700d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
fa071c105b04c9e46a02bff860dbaa10

SHA1
07922d89b459149ead222cd077f03971e58e89c1

SHA256
47041e0a47cf9fe62083b0a9a085a5c8a4d5e58cc52ee1abc7cd9d13789f4959

SHA512
24b4b925cb885c7068f2a8955f00c5ec0d3d3279118adf5036f71a38f0bcafc7c3e330d002b24436619cc9c7858965f568cc545a9291e863996d89a789a6cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e6bd9dd0e6b8aab8e80a17819f1e6fd8

SHA1
aa68f61cf0ed592b4af5d2098c347f8bc7f14e85

SHA256
7fca10b9a80dffd3f3f2a446406d49260a996ccc40e8f267c733d0912d587c8b

SHA512
040e110b3b8e5615e68803b0854dd57ccfd8b5c64a6ada70c8d36f945e908743ab0c5f1b3d86546dde44c1c72f71e0d1ed30523101c1fb04d2615228cee246c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
37578ce07ff8bf7c8516be451f0032c8

SHA1
d42a249c71c621849d3608363f83dc1ba8a64c88

SHA256
6fb495c28bf2f05143c034dd26672a6c2281af6f4153656f16e79bb0f7ab5573

SHA512
64b8f4d26a1327ce1b5d793194c4999adcf81a30a96670870c9da40cb6813e4ea28eaa7cc2b0d225ca2ca21e55e7a18dd1b6c6fcf88fa794c8036abfb8c8ef40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
7242cdbeefe6802f41dd528f5bbe1102

SHA1
b2cb5fa7a2caeab0f20af27fba118286c43b08b2

SHA256
d3745203860c7039588c170e4f4f9af387bdd8c1477c82bed301769626c03533

SHA512
3fd324bde17f68a06e6c7aea3a91dd6b06be4fcd55559a16f48e5f5e974b1307f1b92e5bcc32bd656b1325a91e40acbec0d8f6cd0fe2b458b8ae21c574c62772

Download Submit
memory/4240-72-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-76-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-30-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-34-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download
memory/4240-35-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-36-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-38-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-37-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-39-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-52-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4240-53-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-55-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-54-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-57-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-58-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-59-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-61-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-63-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-64-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-62-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-60-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-65-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-66-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-70-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-69-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-68-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-67-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-33-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-73-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-74-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-75-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-32-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-78-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-77-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-79-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4240-80-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-81-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-82-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-83-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-85-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-87-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-86-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-90-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-89-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-88-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-84-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-91-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-92-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-93-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-94-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-95-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-96-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-97-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-98-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-99-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-100-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-101-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-103-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-104-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4240-102-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/4240-105-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-31-0x0000000006690000-0x00000000066A0000-memory.dmp

Filesize
64KB

Download
memory/4240-106-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4240-107-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download