Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

wmplayer.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    7s
  • max time network
    8s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wmplayer.exe

  • Size

    163KB

  • MD5

    ab48e42633b738e114db94cd99e919b7

  • SHA1

    a7f89ccdd5103c671f201a4349219bbae3051d90

  • SHA256

    407e3aae5e533719998055a1a949ab2ec6224ea42918a000596225e30c8d2bf8

  • SHA512

    3b007e65c25410761f0da25d688a0d1b6d7a38711cc28c626d96c416bc406e0ef5831e7d25830e6521dc39f01d1b1ebc20e6709c4a80e1d225228eb37079a3be

  • SSDEEP

    3072:E0oZohYkQr0jeLwJr95rJolNAzyP+msVK0Zq:JYQqLwhHrWsOP+5VT

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wmplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\wmplayer.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    adbd8353954edbe5e0620c5bdcad4363

    SHA1

    aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

    SHA256

    64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

    SHA512

    87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    39be8f3e42daa4fd475917d8836afa2f

    SHA1

    069c3edbcee219c300fd3a2ccf6310bde1c8a63e

    SHA256

    6da394e8f6803c1d867148bb4ac1498ce985e8d27255b9a809207bc0b639f354

    SHA512

    c2af66882440d415b8ecf3235d6066700f7f20822b7427f3147da17c78acca9b436c1fb55bf5a1a8a5190ddc34acd1199f7564a2113ed6a6ece4acd85ec272b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    7f66df9ed3afe872fbd4fb5452b7dc4f

    SHA1

    1a8edf4a082696ea9f899bd225b6503e8d20c976

    SHA256

    aaa62bb5975bc9bc8b610ba90e40f6a52a05a88c223ecfc6ebb0c07f659a1ab4

    SHA512

    43fefe2df138f0fa12155bb367a555c64c83d699a6a88697aa7bc05adf3509752b87e26203e0329b628febff3dd4130cb66961cd555a7d6a60ae2df7b52b17e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    12a071fd6e96c99ce22f5d76520c5ead

    SHA1

    bfe838c53dc8c280d803cfe85686403f50516fd0

    SHA256

    0cb648b63c72130daadbf83e4ef7a26407b30adde1b3d78e3f1c58b820c6dac7

    SHA512

    0e2b9bc786fc99151e88e842f180c61423b03d289af577a4f4394674bfcc3df7c90387dd8c1a91bcbe4c34b753e9d6ad50c2b719599472037ca3aa0dad34254d

    Download Submit