cb6cdc3833d70bfaa5704b87ecc7fd3a0ba2f549f3c2c849373f2b41b7df1fb0

Analysis

max time kernel
584s
max time network
386s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/08/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recording 2024-08-20 170046.mp4
Size

13.5MB
MD5

47ce5002078e79b9045599b6fb7e517c
SHA1

e7f2a4f83e7bcc06a5f909ea57bdd1e73635fcda
SHA256

cb6cdc3833d70bfaa5704b87ecc7fd3a0ba2f549f3c2c849373f2b41b7df1fb0
SHA512

6aeaac2c23878c5cdb1b4f78422aa9ce8c931ad676dd7c5e5b41807a6b9135acfa73be6cc944e7db2f685f19f743ebedeab1ba1ad7ffc343f8d01c7d05dd45d3
SSDEEP

393216:Bn+qWa6OYSxKFK/T1TC1oZNKGFW3mj9MKmqll28:V+qr6ix/T1OmzK5KmqZ

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	1284	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-6179872-1886041298-1573312864-1000\{00442D80-DDDD-4198-82EE-660E9B9F2C0B}	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3460	OpenWith.exe
1968	mmc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1284	wmplayer.exe
Token: SeCreatePagefilePrivilege	1284	wmplayer.exe
Token: SeShutdownPrivilege	3104	unregmp2.exe
Token: SeCreatePagefilePrivilege	3104	unregmp2.exe
Token: 33	4748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4748	AUDIODG.EXE
Token: SeShutdownPrivilege	1284	wmplayer.exe
Token: SeCreatePagefilePrivilege	1284	wmplayer.exe
Token: 33	1968	mmc.exe
Token: SeIncBasePriorityPrivilege	1968	mmc.exe
Token: 33	1968	mmc.exe
Token: SeIncBasePriorityPrivilege	1968	mmc.exe
Token: SeSecurityPrivilege	1968	mmc.exe
Token: 33	1968	mmc.exe
Token: SeIncBasePriorityPrivilege	1968	mmc.exe
Token: 33	1968	mmc.exe
Token: SeIncBasePriorityPrivilege	1968	mmc.exe
Token: 33	1968	mmc.exe
Token: SeIncBasePriorityPrivilege	1968	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	wmplayer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1960	SystemSettingsAdminFlows.exe
3092	SystemSettingsAdminFlows.exe
3460	OpenWith.exe
5076	MiniSearchHost.exe
1968	mmc.exe
1968	mmc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3536	1284	wmplayer.exe	81
PID 1284 wrote to memory of 3536	1284	wmplayer.exe	81
PID 1284 wrote to memory of 3536	1284	wmplayer.exe	81
PID 3536 wrote to memory of 3104	3536	unregmp2.exe	83
PID 3536 wrote to memory of 3104	3536	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Recording 2024-08-20 170046.mp4"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1192
  2⤵
  - Program crash
  PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1284 -ip 1284
1⤵
PID:2348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3404

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1696

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1116

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOffRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
19d78b1eae63fd95e33c36ae0cad7aa8

SHA1
52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

SHA256
50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

SHA512
34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
f98577e4a8dd0ff93ba5d3f19d1e7f32

SHA1
3eeaa88339c98907fa2c8e8f5ebd6b1b1d550b2d

SHA256
c3eab40468a93d1a1fa7c3141bac0bf139d1d50cad21a779864c18cef6202c23

SHA512
c90eadf11e53f7d8338238aae2e0bb40e3230c2df8aa5a155e9b5bbb1a3a8486a30aa5147a8e17643417c56b01d640610903ad12869ae4678c40f2199288bc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-8-21.040.1116.1.odl

Filesize
706B

MD5
66afe038ab68cda2a0caaa91b8d2741c

SHA1
f954578598a5915ef290d87a955845caaff71f86

SHA256
862ef023a70bd74e5f64676e5a5f88e212a20412ad9e8e1cc260337406610a02

SHA512
1da270d3146a5d02f95d3a66bb499cefd26a7cddc491016622c2ddf31157b6177f16b0ab862d28da00cbe7245608272a3ffd5a4c21a665d0bad0444d631fc343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eed1599235b9dd933e13cbd5751d7eec

SHA1
d461f7edc8bdb31b672f97b18d34e38bb7c96c4b

SHA256
13ee96f0fd8b45de1603cea7aa86ddaa749ea580989d6cb806d944f3547fbf43

SHA512
9679690676ef1ede8030e26359381a092eaec7cb671d51e91d8cd446006301bcb98518b977fd5d475e777baa11dd28e69135c517e3b3d74475134bfed4e8da9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
714f2cc419fb7fd867627c47d9ad330b

SHA1
34b5522ef4670b2342f25f712362380e68599b0d

SHA256
2642a8051a29e277ccd8af829e4148f3b964b353f24ccbd39558951f0d8a72a7

SHA512
38d02df63f9368d6fcc04910aad8e574ae0846e527b0cf5abc90777a202415ce0fd117eeb45afca7c793394842fc65780483de832202fb5a060cd28be4ebf053

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
216052083aa2b837adda7743d05e53ee

SHA1
a2a95269ddffb8f9ed610d61fc074bbfdecbb7c9

SHA256
915aaacbe8ae5445d7ce77e2bdb52c996d1f137fb83d04c17a829486185b988e

SHA512
5440eb65d39f6675addf70c999afaadc698acf0d167aa587da7e74e1316a72cc0a0a9ab0b0d7a24374d248cc232ff1af4902056e09bdd7263ad1d8d87cb1f52c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
a77723519699f5ca1a879215eab171ac

SHA1
b6212d30ad16765e3f852d0c7c91951efa5d7d88

SHA256
e9c86f7a5c5a9d2d2b6342ece3ef7576f1546a2112036753d6f84c47182abbeb

SHA512
1238a64dbfca715fee73c78e3c399235368513694bdb700a7e5a091d06e09bab16f5abd2815da6d131cfe8856fe74500e2ed5648db6b1dd7813946ab65ece8c6

Download Submit
memory/1284-33-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-39-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/1284-41-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-40-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-42-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/1284-38-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/1284-37-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

Filesize
64KB

Download
memory/1284-34-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-55-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-36-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/1284-35-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download