0ebd6262c1467b03392c988e3af08c67821661040997d442299fc37fd633dbc5

Resubmissions

12/09/2024, 20:50

240912-zmmtkstfkj 3

12/09/2024, 20:47

240912-zlcxzsthne 6

Analysis

max time kernel
128s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

angrybirdsmaker0.4.2.1-dist/angrybirdsmaker0.4.2.1-dist/ABM_0.4.2.1_ASDK_.compiled/data_sdk/audio/cypigs/cypig_collision_05.wav
Size

59KB
MD5

618c86fcfb62df5206c8074a5ef23a49
SHA1

f3a5923b11bda2420053f4ae21651e45a9bd6c2f
SHA256

c542a57ea1ebcad937566ea446e6f38e81cadcddb13536c2f7a30339bfc39e14
SHA512

998a330c799b1e5c16b5674288c6ff8924101522d7f7ffc4bd6b3b73b1814f1ed59cd4504f1c9bcf0a242436a85e38a6a815646ac54a15e7bc1c25166f5d48d9
SSDEEP

1536:N8tuap3aqTr1GzeEOxjaMxO1DAWpCnj/yH7W93IWB:StuO86EOZaMxgATjb4E

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{B9608ACC-9C2E-4FAB-BDEE-8E7EA136D824}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	wmplayer.exe
Token: SeCreatePagefilePrivilege	2268	wmplayer.exe
Token: SeShutdownPrivilege	1000	unregmp2.exe
Token: SeCreatePagefilePrivilege	1000	unregmp2.exe
Token: 33	64	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	64	AUDIODG.EXE
Token: SeShutdownPrivilege	2268	wmplayer.exe
Token: SeCreatePagefilePrivilege	2268	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3124	2268	wmplayer.exe	92
PID 2268 wrote to memory of 3124	2268	wmplayer.exe	92
PID 2268 wrote to memory of 3124	2268	wmplayer.exe	92
PID 3124 wrote to memory of 1000	3124	unregmp2.exe	93
PID 3124 wrote to memory of 1000	3124	unregmp2.exe	93

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\angrybirdsmaker0.4.2.1-dist\angrybirdsmaker0.4.2.1-dist\ABM_0.4.2.1_ASDK_.compiled\data_sdk\audio\cypigs\cypig_collision_05.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
29bd18035ac3468ed8ee41ba90d66f22

SHA1
36e76825c5aff3f599ec16a85b14ee487595a69d

SHA256
eca587e1d30a5a9c65a7f3d69272ebc2890a0ec954d1ee4ad7d5ac45bd95ddc8

SHA512
b1b8a231de045c227d430c9edd5996b882153fd848fc319ba2dfbfc7aa309bce8a3551889f735f6de6d6fdfc09a1ffad4dcb4fd7ff2d4017eeb2c97f7a83f7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
0959027646c5e48e3028fe4c5cea19e1

SHA1
844b89f658e128e44eeb98e6b4201a718e748908

SHA256
2d65bbd49b8bd736c34378d8e6012fccb64082b88405541a4a4475d5f62bde8c

SHA512
3040c81d6b47f2ba5ddda2cec1422a5f5b5a865b9e18363b0bb3feea2bff92bf85805aaf6334d8aea7d31b21749346628f117539692733cfb8e3d52a181fc5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
1495d356215949b0251d0018af9daeb2

SHA1
c08927fd11efe4f0f3afca07838c9759251ec1c4

SHA256
24aaa1432241cab35152d2618a4753b77f64fb42fdd4b82fe2a18541473f810c

SHA512
73c823ef023e2329ea4052d3c2fbeed338fddfd5e1941ecbd1c234beb39af8b8d1e7739159ec1e40e5116ab0fbc9087eb6ad07b699b3f10992714300edf0a7b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
0e7226aad6b59764ad4182d82b630b4d

SHA1
c50d2e3a47ec8b3bb3f3899ae7ec9aef81aac417

SHA256
350f494d23bad7780f2c0369cb5057154f38a681fec1f3cd8b13797566a3b1c6

SHA512
4e39155a357b10c78ef593636ca356be93632a677fb0611597fb4f2619d692b496c2ec48d5f8e5c16eda4df0f89b20846f35814f20987eb96f3cbfa993c97d28

Download Submit
memory/2268-28-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-31-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-30-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-29-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-33-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-32-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2268-39-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Filesize
64KB

Download
memory/2268-41-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-42-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-44-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-46-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-50-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-51-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-52-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-53-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-56-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-55-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-54-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-60-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-65-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-64-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-63-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-62-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-61-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-66-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-67-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-68-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-69-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-72-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-73-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Filesize
64KB

Download
memory/2268-71-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-70-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-74-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-76-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-77-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-75-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-78-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-79-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-81-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-82-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-84-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-80-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-83-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-85-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-86-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-87-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-90-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-89-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-88-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-91-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-93-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-94-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-92-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-95-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-96-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-97-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-98-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Filesize
64KB

Download
memory/2268-99-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-101-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-100-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-102-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-104-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download
memory/2268-105-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/2268-103-0x000000000A2F0000-0x000000000A300000-memory.dmp

Filesize
64KB

Download