Overview

overview

6

Static

static

1

savior by ...er.mp3

windows7-x64

1

savior by ...er.mp3

windows10-2004-x64

6

Analysis

  • max time kernel
    140s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    savior by Novulent Official Visualizer.mp3

  • Size

    3.6MB

  • MD5

    4a8f0d645687ea332bf50cf6ff5b227d

  • SHA1

    960172b73b3422b16f44ed6fe555312f316188c6

  • SHA256

    5d7b9acfc29f1eebdc0a3096c49d3a4e17a3842e0970f8e9e2e9f9ab81f12f96

  • SHA512

    9a072ee68c56b305ee283f04d0b3415aa103e5c652d68b4521f908692b1fd65ad2f76f1b12d09f62782711c141dcd6a5f33f775e00574de8c8382f1eef3413a4

  • SSDEEP

    98304:OqoPPfUTaPdgPA4ELz7bvkFii72Iz+lVaoPWP+4i:/oP3IaPePAzLz7gF6ePU

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\savior by Novulent Official Visualizer.mp3"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:1360
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4e0 0x40c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    29bd18035ac3468ed8ee41ba90d66f22

    SHA1

    36e76825c5aff3f599ec16a85b14ee487595a69d

    SHA256

    eca587e1d30a5a9c65a7f3d69272ebc2890a0ec954d1ee4ad7d5ac45bd95ddc8

    SHA512

    b1b8a231de045c227d430c9edd5996b882153fd848fc319ba2dfbfc7aa309bce8a3551889f735f6de6d6fdfc09a1ffad4dcb4fd7ff2d4017eeb2c97f7a83f7d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    881052206a978cfbe16d432c7fc69c4f

    SHA1

    1ab9cace1fdecbb8491fc3df01305dae1084b030

    SHA256

    307dfe07b4f87a3d397b7debab6a73f96ec24914abd6391bb5472035229007ac

    SHA512

    8852969050fe24bce005d859f8a2304597705624d169af1041f8f4160bb7f19cd156faaccc8334edd6c4cf5cc7ef6dbf26f73a9d5c3a91e04d23d74d25535ad9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    528beeff3e065d4e3a4e0dfe9e65e2ce

    SHA1

    2e49b2bc832a535e58b856ee301e1d2c9cff087a

    SHA256

    4ffd84133fd3d969f27a716c0dab53f0bdffd6a47fc2b1d37ae65bac6be01a1c

    SHA512

    8185272207f1ac742e17050056d3f1f0ccbaa556c8ac856880c57612a163694b50b4076c500aa6de8b16ca6d1be8c559a6755e99a551f13c7b814e640487f90b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    f8bac83707f5fe04ecb57734b945345c

    SHA1

    e99020294755e3a613d8b15cdff2996e7843d288

    SHA256

    26ffdfcc1f4313e3ada54f17387c4ccd599c4b0302fd425738f50ce0d2ea18e0

    SHA512

    84b6d82c6b8648e030606a2cd901542e07a77d89ca917127da5e934f4f78ab689a6b5c1fcfed725651366590412c116e89a32aa9561cd72cc043ef33eda9d6ce

    Download Submit

  • memory/5100-33-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-32-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-36-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-35-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-31-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-34-0x00000000052A0000-0x00000000052B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-51-0x0000000005340000-0x0000000005350000-memory.dmp

    Filesize

    64KB

    Download