Overview

overview

6

Static

static

1

nuclear_bombs.mp4

windows7-x64

1

nuclear_bombs.mp4

windows10-2004-x64

6

Resubmissions

15-08-2024 00:02

240815-abnjasybqj 6

13-08-2024 16:36

240813-t4lpysvapd 10

Analysis

  • max time kernel
    78s
  • max time network
    86s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nuclear_bombs.mp4

  • Size

    188KB

  • MD5

    89a4d69ff3c526730c4fd6c3c8b16cc2

  • SHA1

    c5a41e374ce559c402e07eb63f94de7091ef3af3

  • SHA256

    eab0cf5d172d9ef0cd49d7c7944be946d95235c634a48b12a4c450eb7f68d657

  • SHA512

    c6288a36be86f7593a146f4b385a6389c48bc58b1fafdd32a32a7c710d3360204cb3b902166fad683aa012a409e547394b77aad24290d4a62b07012a50aa4124

  • SSDEEP

    3072:WURDsJZX3lZAbWgdAALG96g5ehTtcq6Sm7bsxuTw53Fna6+:IJZlZAbRGALG96g5eHcq6SQk53Fp+

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\nuclear_bombs.mp4"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:668
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b8 0x2cc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    563088ad0f20fabf9dd62c6ba8ae1636

    SHA1

    f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

    SHA256

    eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

    SHA512

    8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    4b016541059127df004c027ce41d8b21

    SHA1

    cb34ddcf797140dae4ac63c68a0e964cf9ff48fa

    SHA256

    2858fbecfc0a46a5e5d429523d3a8e92efa601316aaba9387fd1f1d7f59e8cfe

    SHA512

    53da98b15c9c53b6781d8d9a7caa26222f4827845e40e91eb2ee48b0d9bcc4236cdec391b122dc60d486f1efbbe3845ddda3b87d20f6aa70471220bffaf4db07

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    b96a81aa27124f6979f7c7b02b34f257

    SHA1

    a4de41b41af2cec64784f210979e51c68010a742

    SHA256

    b3d935d55e9e16fcea2c0d15f976f36f2253d81ac8fa7853972744af4f5859b8

    SHA512

    6d326c29ff8f1258f503363409ea92a8d2f62f2e842a34fcbb1ae0e031843be966abaf9bc679062f2e2a29a88c1de54d13be939f5e5e105308f546d6168b5d3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    5433eab10c6b5c6d55b7cbd302426a39

    SHA1

    c5b1604b3350dab290d081eecd5389a895c58de5

    SHA256

    23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

    SHA512

    207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    d631aeaa9fa39ac4dc081d717a4c2952

    SHA1

    ca151b7882b1206f3bd4fff7ab817303f728d77a

    SHA256

    f902ec4ad8c3803a9fa34a409b209c97f5cedc027e66ae9a69ba55026e4d27ef

    SHA512

    9aa776be324cd324ce62b4a938c4031dc7f9009ef8f456c5d216f94771be52ad63f713d7160ef0b21c87eae543d88d976b612148db4c56522f6a712eee8441a8

    Download Submit

  • memory/1264-33-0x0000000007950000-0x0000000007960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-32-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-31-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-34-0x0000000007930000-0x0000000007940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-35-0x0000000007930000-0x0000000007940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-37-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-36-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-38-0x0000000007930000-0x0000000007940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-30-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-29-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1264-53-0x00000000051D0000-0x00000000051E0000-memory.dmp

    Filesize

    64KB

    Download