0ebd6262c1467b03392c988e3af08c67821661040997d442299fc37fd633dbc5

Resubmissions

12/09/2024, 20:50

240912-zmmtkstfkj 3

12/09/2024, 20:47

240912-zlcxzsthne 6

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

angrybirdsmaker0.4.2.1-dist/angrybirdsmaker0.4.2.1-dist/ABM_0.4.2.1_ASDK_.compiled/data_sdk/audio/cypigs/cypig_collision_02.wav
Size

48KB
MD5

67350ca2f425abbdecd93bf437578aab
SHA1

813e929594558570540db129ff6a57ba8e62cad4
SHA256

bb7e1ed102791183f63ffdfb81d15c8d262d6d4cd7e92a9655a01088dfa506ff
SHA512

3963ed053549449621b2279bc745a802682365c2c160860560bb2427cd02e50c983b10cb7750e1adf0fc45f7b5519527222ef5f37ef4e06ecc723685df0f9554
SSDEEP

1536:YjnSa/55LQsU9qpthJPizFUmqqQXK7IAuu0YRg3:YjZHmgdJPiz37IAuuL63

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{22F4C47A-156C-40FD-982D-49A8F00267A8}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	wmplayer.exe
Token: SeCreatePagefilePrivilege	1948	wmplayer.exe
Token: SeShutdownPrivilege	2708	unregmp2.exe
Token: SeCreatePagefilePrivilege	2708	unregmp2.exe
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: SeShutdownPrivilege	1948	wmplayer.exe
Token: SeCreatePagefilePrivilege	1948	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4352	1948	wmplayer.exe	84
PID 1948 wrote to memory of 4352	1948	wmplayer.exe	84
PID 1948 wrote to memory of 4352	1948	wmplayer.exe	84
PID 4352 wrote to memory of 2708	4352	unregmp2.exe	85
PID 4352 wrote to memory of 2708	4352	unregmp2.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\angrybirdsmaker0.4.2.1-dist\angrybirdsmaker0.4.2.1-dist\ABM_0.4.2.1_ASDK_.compiled\data_sdk\audio\cypigs\cypig_collision_02.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
62c5d3bd9b975ee54391caa9b992f9dc

SHA1
0b244c5357a5b79fa8d2ce322c5585492299b708

SHA256
14f0e432cbbbc350e90ec9c5879a85cb693e1948c6192403f6ef9dd20b21e4ac

SHA512
015cf430b4942bc15b9ca21a1e4b75426fd6d638330aecd9b14ddc64ad2de4064fa2f83dbc23d798f723986776345e7fe53b7dcc23aaf6643cfc8d7783f490a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
1bd23b09abc0b75cf738d1e41711164c

SHA1
9ed606df0127d5a0a26d8e4ead3d93b0eb34a4ad

SHA256
99aef9e82faa8bcb51231aea8015ec3e74df31b6699674610022cc5f9691d625

SHA512
6211e0a45fe8229cee66edcc4219f6349adca24db4ee1f15a0cb2d2ad70fb76dbc3dc9979953b9b2715739f6de8115e028ca38bc90983ca4d06140c9b30df038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d96feae57329627e7ed32bdd6ecceffb

SHA1
9a757e2189569d892a7a5bf3f273523db8421cb1

SHA256
6b4aec6d76bd142cfba722de84e5dbc79133f39ee931f857f60bc623f06e6e0e

SHA512
c01b73dd957be12b1771cebd688cb6d0a646bc8196a2144c6f4bdeaae53d0bb14a2d76d8b6e21318b8b4d35ce1528c1f1d6647e262eb0fdeb2709c4cbfaef87d

Download Submit
memory/1948-27-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-30-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-29-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-28-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-31-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-32-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1948-47-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/1948-48-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-49-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-50-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-51-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-52-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-53-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-55-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-54-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-58-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-57-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-56-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-59-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-60-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-62-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-64-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-63-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-61-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-65-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-66-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-67-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-68-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-69-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-70-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-71-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-72-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/1948-73-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-75-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-74-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-76-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-77-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-78-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-81-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-83-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-82-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-80-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-79-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-84-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-85-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-86-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-88-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-87-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-89-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-90-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-91-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-92-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-93-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-94-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-95-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-96-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-97-0x0000000007D80000-0x0000000007D90000-memory.dmp

Filesize
64KB

Download
memory/1948-98-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-99-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download
memory/1948-100-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-101-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-102-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-103-0x0000000008750000-0x0000000008760000-memory.dmp

Filesize
64KB

Download
memory/1948-104-0x0000000008740000-0x0000000008750000-memory.dmp

Filesize
64KB

Download