f19b6cbbcede45c9fb87e0c7fd5f79e36206275f5ee7c739d300d2b9743c2ac4

Analysis

max time kernel
45s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SaveInsta.App - 3366175132269292912.mp4
Size

4.1MB
MD5

9653becbf35ffd2084496167c673f80d
SHA1

17fbffd6b2d0558701bba539660316fe88b5fe7e
SHA256

f19b6cbbcede45c9fb87e0c7fd5f79e36206275f5ee7c739d300d2b9743c2ac4
SHA512

d45107ecae6800470d7508be9ef592e0cb3115bd1967d8235787f4d592e86c6f4476164b2d61e4cfbd3e87f0a7662f9039d1b4a04f6d5a5ff164b72edb5c9fbc
SSDEEP

98304:YHVfIdvAmyLLixk8U6gmWZbT/nXXProR8DMEBEGFCq90MQZ:SVrmTL3IfkRgM8FCV5

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{A7664639-0AD5-4DFE-9566-5AB543D09536}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3636	unregmp2.exe
Token: SeCreatePagefilePrivilege	3636	unregmp2.exe
Token: SeShutdownPrivilege	1444	wmplayer.exe
Token: SeCreatePagefilePrivilege	1444	wmplayer.exe
Token: 33	4680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4680	AUDIODG.EXE
Token: SeShutdownPrivilege	1444	wmplayer.exe
Token: SeCreatePagefilePrivilege	1444	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1444	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 5064	1444	wmplayer.exe	91
PID 1444 wrote to memory of 5064	1444	wmplayer.exe	91
PID 1444 wrote to memory of 5064	1444	wmplayer.exe	91
PID 5064 wrote to memory of 3636	5064	unregmp2.exe	92
PID 5064 wrote to memory of 3636	5064	unregmp2.exe	92

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\SaveInsta.App - 3366175132269292912.mp4"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x38c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
faa3cda2026128e9f5633eac82498c72

SHA1
513cc11de4f84464bef1243d5046b9c70353fd17

SHA256
a725587fd19d778820a397e308c03a71d2b6b8a555e36c113e4b86156a0ddcc1

SHA512
cf56a4d9dc1c73ee261f724ed73c35357804b384141794160b403ebffdf1159dd94805de58d010e3f547e4e704def96d4ce6355c542ff1885b63ec544c3632c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
2488a0c4a3813bdb2bdf825e095f5bda

SHA1
70453c40d97d29fc06764c152823e6157c71e7dc

SHA256
f77b5603732d574dcb2d87f197e9dc27136caaa83c2c37098c4fdf03d900991f

SHA512
68c8d538320b3ab2a53ec11a26cbd2bed2ec8cd820b72e068d81aeeb597bfd52faf2e2dae56b5517fe4eb4fdc16008263966386832ceae48c38b12587a5a9ae1

Download Submit
memory/1444-31-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1444-32-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1444-30-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1444-33-0x0000000007800000-0x0000000007810000-memory.dmp

Filesize
64KB

Download
memory/1444-34-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/1444-37-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1444-36-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1444-35-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/1444-38-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/1444-29-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download