6988454cc85eb2cc5c449d6c80d9ee00756fd499b6b6aa52b95b75ab12cfec06

Analysis

max time kernel
122s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

robloxapp-20240723-2013413 (1).mp4
Size

4.0MB
MD5

74efca33557647c70ef6541d0026ca31
SHA1

eb572f56717691c539da2b528867edd739809ec1
SHA256

db805be2b058db79f7c47c6f0e50c14ed9e1faa63b9c274846d55a11c67137f8
SHA512

5ac9b31acf1a7afe6689e903907d3f203aecef181eb592aa8293b34c52bb174c9edc9f9930e988161dbaf5aa8f522c870ac2f0a99ebd19f2a30161824cf3989c
SSDEEP

49152:kCXKuvdLfw2XeXwAW2iqNv6cN0SVgaTTducys52Rf50qx/RKGjwYcqpPHely1BRo:N/1LI2NRwv6KVgaVIh31QGVtrbd7K

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{E391C331-60DE-4701-B649-6AE6AFEC7EA9}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	unregmp2.exe
Token: SeCreatePagefilePrivilege	2304	unregmp2.exe
Token: SeShutdownPrivilege	4820	wmplayer.exe
Token: SeCreatePagefilePrivilege	4820	wmplayer.exe
Token: 33	1060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1060	AUDIODG.EXE
Token: SeShutdownPrivilege	4820	wmplayer.exe
Token: SeCreatePagefilePrivilege	4820	wmplayer.exe
Token: SeShutdownPrivilege	4820	wmplayer.exe
Token: SeCreatePagefilePrivilege	4820	wmplayer.exe
Token: SeShutdownPrivilege	4820	wmplayer.exe
Token: SeCreatePagefilePrivilege	4820	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4820	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2928	4820	wmplayer.exe	85
PID 4820 wrote to memory of 2928	4820	wmplayer.exe	85
PID 4820 wrote to memory of 2928	4820	wmplayer.exe	85
PID 2928 wrote to memory of 2304	2928	unregmp2.exe	86
PID 2928 wrote to memory of 2304	2928	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\robloxapp-20240723-2013413 (1).mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:5040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
51017a02b8d1c3a4c968c356f81f01cb

SHA1
974802a8b2bdf31192aefb2f14ec1a466d0ec96f

SHA256
aff99e1aaae2db83050f4199b0a0fbfa2a9cae1f385b1c9542b4ffbf7ebd2914

SHA512
eb186169a7a746f65ecb65a22eda820ec3df38a900a7e10a53854df0dff5e26cd51d65c6ddce3a1a936f92f92f5d29c14c755c2d6bf756b35ecd952bcf57349c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
0fa90188e9504a4d54c296f4e10870f2

SHA1
249f61e2a8e85e9b2eb786438dc969740a1d6dd4

SHA256
ae72487a95e3e4a551e87c25e00e727c8128496035aefab3ea50b7752cd961a1

SHA512
41a13bcaa210213383be85602d19f7f873f30423e41b1f59058038506f8e3b7bb195a83412bed4691743116be412138a192b2777bcc695e46231685daad9ad20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
8ce9da2a15b61d518c30be3ae65557bc

SHA1
e08045674128a7026c6dae1ba292aa80db0890b4

SHA256
fc07be0fab973b4c27a94002e9cf4dbca8163474b16cefe4ac77c41a994380b1

SHA512
c6345d365777ac7e8473f8351846817be41eefc30b799372a21924583761f288ee99ce99e23882c1ef87fe09525102a5d83e75eb615a18b441d17ecdf80aa694

Download Submit
memory/4820-30-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-33-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-32-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-31-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-34-0x0000000007DC0000-0x0000000007DD0000-memory.dmp

Filesize
64KB

Download
memory/4820-35-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-38-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-37-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4820-36-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-39-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-44-0x000000000A590000-0x000000000A5A0000-memory.dmp

Filesize
64KB

Download
memory/4820-45-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-48-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-47-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-46-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-51-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-53-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-52-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-54-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-56-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-55-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-50-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-62-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-66-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-65-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-64-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-67-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-69-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-72-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-73-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-74-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-75-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-76-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-78-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-77-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-79-0x000000000A590000-0x000000000A5A0000-memory.dmp

Filesize
64KB

Download
memory/4820-80-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-90-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-89-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-88-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-87-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-86-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-85-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-84-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-83-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-81-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-82-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-91-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-92-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-93-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-96-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-95-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-94-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-97-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-98-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-99-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-100-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-101-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-103-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-102-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-104-0x000000000A590000-0x000000000A5A0000-memory.dmp

Filesize
64KB

Download
memory/4820-105-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/4820-107-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

Filesize
64KB

Download
memory/4820-106-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download