614a723a76e12843d611815ffa1d5978ede6fec46362599ec5d5be8dae625d77

Analysis

max time kernel
127s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0806(4).mp3
Size

59KB
MD5

96ada4fdc1cc1fcb1d234f7b96a74adc
SHA1

0a8d1806c8de52afbd7607c68d2c575f52a7fef5
SHA256

614a723a76e12843d611815ffa1d5978ede6fec46362599ec5d5be8dae625d77
SHA512

5dea7b2fbf0a7e8a04cd4f56806e7766aeb5d2d5a03edbfcfcf66ca36d3d580a285e15f4886ca7ce88ddde8ab2adf2168d101a95bfc884c50beafc250c7a7550
SSDEEP

768:dEHysnynMjJh601ZQOSkG2E8juVtqKoI/5cMEjIwJRrqmLRAJc+u1PdcPB6qTLIJ:uS3MW0IzPCKcJfNVqc+u1Pdcz2n

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{38C0E1D1-0AAB-49B1-B978-33B141FDE0AF}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2024	unregmp2.exe
Token: SeCreatePagefilePrivilege	2024	unregmp2.exe
Token: SeShutdownPrivilege	1332	wmplayer.exe
Token: SeCreatePagefilePrivilege	1332	wmplayer.exe
Token: 33	4244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4244	AUDIODG.EXE
Token: SeShutdownPrivilege	1332	wmplayer.exe
Token: SeCreatePagefilePrivilege	1332	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1332	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4652	1332	wmplayer.exe	85
PID 1332 wrote to memory of 4652	1332	wmplayer.exe	85
PID 1332 wrote to memory of 4652	1332	wmplayer.exe	85
PID 4652 wrote to memory of 2024	4652	unregmp2.exe	86
PID 4652 wrote to memory of 2024	4652	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\0806(4).mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
95e195ba88a77484a73c9cb38ebed71a

SHA1
ece37a6e6b6e7bd52e8426bb7217b648ddb3d6b4

SHA256
7833e9bae2ee5845d2245fb1c97e4a5af36c08e28351d52589fd514d74b368f0

SHA512
96b418205b70f4f8d1d20af984e4a947d7f757fa67d3a841eddd90a9c1864b530aa6f15583cc03825e18bf065ffb0419d56fc10a562079c2a874014742adf7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
ce223341867fa4602edbeaa9bbd76d25

SHA1
76e9497916e4a09b6194b202ed9c0c6f7797eb2b

SHA256
d8da4c63d8a00e8af7528d0e3757e5728304e42a2a0dd23d7176c774f630ae99

SHA512
784d3813c3c240a23b267544b25facb446b3997b75694f974b14d6f9975fa23737b2e02ca9461473185e9d717f0dbce47ab57ba4d9c2f1be56c3d29885f5dda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7a31216ccf05e20935c6548a7ba4e0ab

SHA1
caf40d7de3345e35eb1011f9af9a907a7a0b5952

SHA256
4de536b1dc75c3cf4df93d67db1d2ab62590a4a5c570ffa39771a85bc4378dfa

SHA512
49f2cbff6436e094375613f19b2361bc69dd27876d5cb96d40742e5ad484b622942f334b489f0ac89957d582defc2d3ded023e31ea82a7b19cc9f9da5fcd53ef

Download Submit
memory/1332-30-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-31-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-28-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-29-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-33-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-32-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1332-40-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1332-41-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-43-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-45-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-46-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-50-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-51-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-52-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-53-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-56-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-55-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-54-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-60-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-61-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-62-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-65-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-64-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-63-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-66-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-67-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-68-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-69-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-70-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-71-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-72-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-73-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1332-74-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-75-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-76-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-77-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-78-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-79-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-81-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-80-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-84-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-83-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-82-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-85-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-86-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-88-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-90-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-89-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-87-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-91-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-92-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-93-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-94-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-95-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-97-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-96-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-98-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1332-99-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-101-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-100-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/1332-102-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-104-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-103-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/1332-105-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download