9075e4df4808d4d544552dc5f71e540ee1d60a8b90255f005668ceca964481fc

Analysis

max time kernel
271s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

945809687-1-16.mp4
Size

4.2MB
MD5

82c0e805ca67ff90d24a6f3d9f8af149
SHA1

11270cd32566f5ed30fe775edc0577d83d682896
SHA256

d6eef9e1278cc3893b7a1729d35c7f5b8df95a8b6d322db37e939c17ed11e40e
SHA512

1d8606de97236dbfff579c22395cc1791cc0ce9b85b81f794b4695c0c2a8c11a95ca73032976f0a204de5bb7837f89fedaf5158f22bf14d19a3a435d28cbf6a9
SSDEEP

98304:+5FFW1ufVD6JmXJCaVxGYR74haUTcSaYpcaqM9W9:+5iUVDrXU4oYtMRcSuQ9K

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-661032028-162657920-1226909816-1000\{292AB79A-E639-4773-801F-8AB44ABD64E0}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1216	wmplayer.exe
Token: SeCreatePagefilePrivilege	1216	wmplayer.exe
Token: SeShutdownPrivilege	420	unregmp2.exe
Token: SeCreatePagefilePrivilege	420	unregmp2.exe
Token: 33	5108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5108	AUDIODG.EXE
Token: SeShutdownPrivilege	1216	wmplayer.exe
Token: SeCreatePagefilePrivilege	1216	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1216	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4728	1216	wmplayer.exe	82
PID 1216 wrote to memory of 4728	1216	wmplayer.exe	82
PID 1216 wrote to memory of 4728	1216	wmplayer.exe	82
PID 4728 wrote to memory of 420	4728	unregmp2.exe	83
PID 4728 wrote to memory of 420	4728	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\945809687-1-16.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x0000000000000490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
470e2894e5476066a3a5dfc6487bc629

SHA1
73aebfa51a6dca2a168d8ca7c3eed2e326f36d77

SHA256
f876216800b721ab4300bd56de23e2d068188fa2b2e57c93b5d1d62c7f2719a5

SHA512
953d31eece8aa5ac3f956872282224a487bd98145f7297b94a7702c1b83281e533f884bcbdb49cce4127cab6aa2d16c95fb0e1cf0f262080ed1b5421c1974c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e51b5de343f124e16fed2b0aef3c1acc

SHA1
f8c66cec11f8f8df0a6b4facf7f5ea6019b8f409

SHA256
490caa5078754134e202072f97fa0b3d655b790b4d44d6b693df113af924d64e

SHA512
18e90e2ec69599c00e531d598b8620931f278115f5e9b3fb37da41dca1369fd528da28c28eba09a5b1db2f51bfd6e809226688b99c788b097e8e2a5f3eda8fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
10b79eaf4cb2f260b0943bb9791fdd75

SHA1
ddfb095ce41ecfb1fa4e415effbf18e4f989a751

SHA256
f9dbd729a291723529ff74881d02619e539a440f70b84f90fb48be8179a5fad2

SHA512
3ce6f80f927cd5bc3ce6bb78cfc8bf3c1bd2915af4ac0b9b6809395b109f50b14f99e0ea31a53f1ca25dfa7f84d094971aa835d70a6f3ebe331780af63a06301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
4b998799bf111b00820c3bf007f4466f

SHA1
ab65f60487408cb83ae5c2029daabb00438fcbee

SHA256
e38ad094cbbbe9e94d78fae6f25d842f9dd5eb200520164391675694c3dd537b

SHA512
c3033a2e2fc8995f0b3b96e15111100c173e9aa9f9ba081147d70ca576786f333037737058d0f51808fb49e3817ccdd1de8c5c3b7ee119803fbbda8e62296a2f

Download Submit
memory/1216-34-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-32-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-33-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-31-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-35-0x0000000009750000-0x0000000009760000-memory.dmp

Filesize
64KB

Download
memory/1216-36-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-38-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-39-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1216-37-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-40-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-46-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1216-50-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-52-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-53-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-54-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-56-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-55-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-58-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-57-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-61-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-60-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-59-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-64-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-67-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-66-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-68-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-70-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-69-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-72-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-74-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-73-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-75-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-80-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1216-79-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-78-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-77-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-81-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-83-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-82-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-84-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-86-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-88-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-90-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-91-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-89-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-87-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-85-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-92-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-93-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-94-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-96-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-97-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-95-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-98-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-99-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-100-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-101-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-102-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-103-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-104-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/1216-105-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1216-106-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-107-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/1216-108-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download