9075e4df4808d4d544552dc5f71e540ee1d60a8b90255f005668ceca964481fc

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

945809687-1-16.mp4
Size

4.2MB
MD5

82c0e805ca67ff90d24a6f3d9f8af149
SHA1

11270cd32566f5ed30fe775edc0577d83d682896
SHA256

d6eef9e1278cc3893b7a1729d35c7f5b8df95a8b6d322db37e939c17ed11e40e
SHA512

1d8606de97236dbfff579c22395cc1791cc0ce9b85b81f794b4695c0c2a8c11a95ca73032976f0a204de5bb7837f89fedaf5158f22bf14d19a3a435d28cbf6a9
SSDEEP

98304:+5FFW1ufVD6JmXJCaVxGYR74haUTcSaYpcaqM9W9:+5iUVDrXU4oYtMRcSuQ9K

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{5A69D2C7-0DA6-4F3A-8FE7-01668ABA112E}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3836	wmplayer.exe
Token: SeCreatePagefilePrivilege	3836	wmplayer.exe
Token: SeShutdownPrivilege	264	unregmp2.exe
Token: SeCreatePagefilePrivilege	264	unregmp2.exe
Token: 33	1860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1860	AUDIODG.EXE
Token: SeShutdownPrivilege	3836	wmplayer.exe
Token: SeCreatePagefilePrivilege	3836	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3836	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 1840	3836	wmplayer.exe	85
PID 3836 wrote to memory of 1840	3836	wmplayer.exe	85
PID 3836 wrote to memory of 1840	3836	wmplayer.exe	85
PID 1840 wrote to memory of 264	1840	unregmp2.exe	86
PID 1840 wrote to memory of 264	1840	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\945809687-1-16.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
ed6403a9e04010f1dec738de07aa712e

SHA1
1c106b90e799899f7b7d87430272720f05a47b2f

SHA256
65ac91d9fa770fe2025fa0866dcdbad3a33087f3aa7974150ad0d6d0c2b87432

SHA512
1ac9e6c73f062b10b5af5abf4131827ef347ecaf2295168d2f0ff92a03513a97634a2dcc0dbad40cd4427446fc76673749bbea4988eade919608d174117654b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
4a27a6230498e812df7b0bcc03c38b53

SHA1
9253124243040edc11f7b243b545de12436a078e

SHA256
b773cb103faf71043e456f12e7558f77ceaeac4f9c43049ea31f6fbc40989d36

SHA512
83123460c51ae2a5739d9223aca5745a643fd9ffd354653eb7c6b8e80d92f28c724bdec856ff994d1a7e7f2a2f987f5a8e177f0564d89bfe05ce7f5158adcecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
5416e83bfe57b631b8f0cf75aa40b80c

SHA1
8014cbc668e4e6a7b3eeb69c7cd3c57c4f5fd373

SHA256
256503cdffb54146144e8620797c418b9ceea3b73a5a1b0cab091d0817d886d5

SHA512
3b5c586881423e80a823bcff3581177acbf91ebdbd2092407c3cf42ef03b130ed09f2d1a219d270c0b2cca9b8301435cdc2fb3de4ee48e2413a3a32841bd58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
dfc000182623b6cc8c121b8897174093

SHA1
62c552860f614b9e0ccd7feb1a38b36591984f17

SHA256
a713aac66a710bd790de9cb548782e8096c08a989baa1c00fb6acee86d57fbe5

SHA512
400ce8734db3c745531f01ede1ccb4aaf64feb92a0117a006899c823ed9705cbf676d6ed0e00c0d706272a1c55432e6417880e535bc36cf66680927e7afe1217

Download Submit
memory/3836-29-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-30-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-32-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-31-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-35-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3836-36-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-37-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-39-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-38-0x0000000004480000-0x0000000004490000-memory.dmp

Filesize
64KB

Download
memory/3836-40-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-46-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3836-50-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-52-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-53-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-54-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-55-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-56-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-58-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-57-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-59-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-62-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-61-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-66-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-67-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-68-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-71-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-70-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-69-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-73-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-74-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-75-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-76-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-78-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-79-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-81-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3836-80-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-82-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-83-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-84-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-85-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-87-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-89-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-90-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-92-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-91-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-88-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-86-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-93-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-95-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-96-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-98-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-97-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-94-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-99-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-100-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-101-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-102-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-103-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-105-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-104-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download
memory/3836-106-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3836-107-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-108-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3836-109-0x0000000006F10000-0x0000000006F20000-memory.dmp

Filesize
64KB

Download