2ffa473d8de8262cfc293d79eece37080fe1db0ba39ee1620854de91696b1276

Analysis

max time kernel
1795s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240802-it
resource tags

arch:x64arch:x86image:win10v2004-20240802-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
07/08/2024, 08:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

attachment.mp4
Size

4.6MB
MD5

f1dbd7353165085bc5ed9f5071414b68
SHA1

5b56a391b84f4a785ef8a12ecd80329a655f92df
SHA256

2ffa473d8de8262cfc293d79eece37080fe1db0ba39ee1620854de91696b1276
SHA512

74bbf583d1bc961227a01fe9594852f3f0baaa32c1f679a2a99cba2d294566fc0f0034711bf18508c722c14e5570ccaee8e284b858824108788196fb155bb80f
SSDEEP

98304:tzicSDzssaIB48R6ktcnTQY+zmEYilKt7xwKpRE0Gz6/FrWE:xDw3KnTQY+6kKt7aKLu69L

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{FF0C7AE4-4195-4AA5-9C4E-5266E061738B}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	532	unregmp2.exe
Token: SeCreatePagefilePrivilege	532	unregmp2.exe
Token: SeShutdownPrivilege	4688	wmplayer.exe
Token: SeCreatePagefilePrivilege	4688	wmplayer.exe
Token: 33	4260	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4260	AUDIODG.EXE
Token: SeShutdownPrivilege	4688	wmplayer.exe
Token: SeCreatePagefilePrivilege	4688	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4688	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 5104	4688	wmplayer.exe	89
PID 4688 wrote to memory of 5104	4688	wmplayer.exe	89
PID 4688 wrote to memory of 5104	4688	wmplayer.exe	89
PID 5104 wrote to memory of 532	5104	unregmp2.exe	91
PID 5104 wrote to memory of 532	5104	unregmp2.exe	91

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\attachment.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x240
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=it --service-sandbox-type=asset_store_service --field-trial-handle=3516,i,7625519469947985152,13713547319297971533,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=it --service-sandbox-type=asset_store_service --field-trial-handle=3948,i,7625519469947985152,13713547319297971533,262144 --variations-seed-version --mojo-platform-channel-handle=1404 /prefetch:8
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
c7c82e77d69c118eaa9755727ec97819

SHA1
5377d13b7b87a537a1f12973c4e27a50de5c690b

SHA256
f59a7a1856414978e5befff8c008f768fe7e9008dd8dc9f175d080c0f89ec7c4

SHA512
973214449d76c258a6102df6476e4baa1462ab70c815a39ab6c40153be2648f0b685e34ea21b9147ba41ac12a5d79266c49a8fbf5507d047dba48868b25261f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
6bfcc16c14e21c9c512a1ba548223146

SHA1
6070e7138590242f29d859aafb8767651ca03a26

SHA256
c580495f241246a0c99eadb7f24766e91fe7a9492475b60e4d437cabb85864e0

SHA512
1d579032f0a973166f0f371c34606b95e59bc8f09fdce37df51e64ac69b8962163f0c661e66e64eea06acf4c73531ee72eb63492a42cf46a6af5ada42514733d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
765bd8528ed4dc9ee4b2d6d9db581898

SHA1
d5e250ff30742a490125e4d81984cad841bedc76

SHA256
6b81d3641021c5dd56f7a2441e5eeaa9c3b000bc82173b96061ac362e7cd3963

SHA512
fae58fe3db3dcda147703d248210fb34c230537e93435eea56afde7595bc3bab286663deb59c32e4f87cdf6f2fbaadc5d0413bcb18a0f094d7dd78c221ee64c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
1972980582790ac3cc01c8a28e861f89

SHA1
ae66a266d55b7d0adf1a3035c8f035a848091e43

SHA256
bdac6752b2fe3a3b65d28d7db1152c560a95edd5981c20fd95b908968a18c754

SHA512
55f9460d6e4b099b0cac34b2bfc346921544127a1452c2f8f0b9dcb66c9a5c4582a4ee9b057dcc638ca340eaab68f79cfa7986df60bb2c8d565c865f21f16ddf

Download Submit
memory/4688-41-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-40-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-39-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-38-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-42-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/4688-43-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-44-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-46-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-45-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4688-47-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-52-0x0000000006360000-0x0000000006370000-memory.dmp

Filesize
64KB

Download
memory/4688-57-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-60-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-61-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-62-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-64-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-65-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-67-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-66-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-70-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-69-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-68-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-73-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-76-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-77-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-79-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-78-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-75-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-81-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-82-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-83-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-84-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-85-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-87-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-88-0x0000000006360000-0x0000000006370000-memory.dmp

Filesize
64KB

Download
memory/4688-86-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-89-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-91-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-90-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-92-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-94-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-93-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-99-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-98-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-97-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-96-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-95-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-100-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-101-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-102-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-105-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-104-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-103-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-106-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-107-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-108-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-109-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-112-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-113-0x0000000006360000-0x0000000006370000-memory.dmp

Filesize
64KB

Download
memory/4688-111-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-110-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-114-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/4688-116-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4688-115-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download