9c6e59d6ec45ec223845c356e2112e52817f03692bd18effeb41e07af89efe18

Analysis

max time kernel
62s
max time network
64s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20-08-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

videoplayback.mp4
Size

583KB
MD5

b58485e49d0c54747481ffedba834c3d
SHA1

37ff7216194273d60b83d649bbb8c2fc2963aeda
SHA256

9c6e59d6ec45ec223845c356e2112e52817f03692bd18effeb41e07af89efe18
SHA512

0f13d201eeab978deb419969615aab5f0637a370251240360c53d9e23d9cb00fece08bd39c7c172364fe288adeb507f713b9d5beb964507413b175ba3b356c87
SSDEEP

12288:RDf6wNPcfm8sbo6yLpmCtdayaAfbuy2xMX/GWUJKhHGD9jehjg:RDfxceZo6yLkDya+uhxMvGWU01GD9ahk

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1604	1136	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{2B96BCD6-9F4C-45B5-818B-37AD47F05C54}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1324	unregmp2.exe
Token: SeCreatePagefilePrivilege	1324	unregmp2.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe
Token: SeShutdownPrivilege	1136	wmplayer.exe
Token: SeCreatePagefilePrivilege	1136	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1136	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 952	1136	wmplayer.exe	81
PID 1136 wrote to memory of 952	1136	wmplayer.exe	81
PID 1136 wrote to memory of 952	1136	wmplayer.exe	81
PID 952 wrote to memory of 1324	952	unregmp2.exe	82
PID 952 wrote to memory of 1324	952	unregmp2.exe	82

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\videoplayback.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 2260
  2⤵
  - Program crash
  PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1136 -ip 1136
1⤵
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
9b39c8547503a0fdecd29c6ee70cef52

SHA1
e7449059220cd65a69f5002bb6ef24aca23e9d8b

SHA256
4ee3ec0ebaa01d5d91d526b47b550218816424b6c854e4efcd9284a769ef271a

SHA512
c280f5c0fbf1bc423e1c5885f5a04d38393148487016f34c1ad8a051131ed763892ec6e3ef530e6bf037f9253a2833ea3910f6df3f4bc0d6b1d35c8fe4b117ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
636e65fd95d318a79bbe26ba93ad83dc

SHA1
4ab723dc5a3b5cb8fc064443c867a025d4d9e934

SHA256
3647060b79fba49830e19920aeaa53e498411784aa939b3ddfa86fda6d8dbe8a

SHA512
78515a9e284897df0e87fde48ebbe3ffca9f346f23468b2d75f2ace5a5053a79ea93a262d544b710f0738c5c559d752778ce29d5fdd75b4224c7ec7876ec6b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
f319d94f3750aaac7eddaf8b0d8e6663

SHA1
55fcc6a1907832201d5c1b591ff91206ad6aba6d

SHA256
a6a58ea51f35a9fc49a664e1473a51bf407fdf1a42bdee384ba391dfd68adaa7

SHA512
03d2788cc37be1f123d75ae431777c1a3644f363c5f14e95f0696d9f971442fe518881b3cfec000cdba3362636fdd37783b67627468697ce9fba754118f8ed93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7aae29174086c9c27684bedfec1fc4f2

SHA1
78a85416fb9370155de531b53a700d61fc757ea9

SHA256
e6b2b2ad5d602451bdb1d726e8735641f044ad3bee63f24ccbc3cceee7e98d8c

SHA512
63714a06a0f1d950e4de45594ac908e997ada734a7f6359eae8442964a413adfa5e2b96793694d9636542dd7ce9fbe0c223e1446e5d5bcc172d8317ac880d70b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
ae8e0fba544cd40fed5949a42835019f

SHA1
339bd5cda6e6853598e405e0749628e739d8cc95

SHA256
4a2944056d32038d3de89477a8d2f96418ac1de031dc81c0f27785729520010a

SHA512
683eba07e7e6139bb807cb10f60e7e92c5efbe42c522f092cdca3dffefffde9895d6f9d9ae81935c1f0e78a5d10fece137d390b7b9f3fd6d40bffbbf82c2e233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
8e18a20ad4ffb430c309330b213394f0

SHA1
a0238498c4d8569f4edc4eff68d7ebe355481e1b

SHA256
6ce0939df154916de6cf56003180c400eddd596cf62057e29fc130c4c1acde33

SHA512
8bc5473c83fd288331b23e810f7df221a8113c647c32621b4ec96d1095ebb87cf8e8656a293e4d152a50d4f6c6c9b963c0b886d11b2f3ecc56993fd96ccd32a1

Download Submit
memory/1136-34-0x0000000008A10000-0x0000000008A20000-memory.dmp

Filesize
64KB

Download
memory/1136-37-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/1136-36-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/1136-38-0x0000000008A10000-0x0000000008A20000-memory.dmp

Filesize
64KB

Download
memory/1136-35-0x0000000008A10000-0x0000000008A20000-memory.dmp

Filesize
64KB

Download
memory/1136-32-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/1136-33-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/1136-30-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/1136-31-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download