Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

20240914_201432.mp4

windows10-2004-x64

6

Analysis

  • max time kernel
    128s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240914_201432.mp4

  • Size

    5.1MB

  • MD5

    e77ab87fd86efdc684710896233e30e8

  • SHA1

    79c8096f21136242ed9c713a7a9172da383820ed

  • SHA256

    3be5612f7ec510a547628a50271d4076ddf4425773a825690a7b1f9d52bc63b5

  • SHA512

    ab121e2e612c4c402a87cc28dc68cc13280f8ef91ec6a8d78b0655ebf0a03b002bf39b076a2c4257e234615a096efc87b7951011f823bbb68c61ec39413bfae7

  • SSDEEP

    98304:bmd6nJAOexsTafBV0/sNHjPEzjbBznVMJPONoQcSw12QTqzbE/al+BqQeb5YHFG:bmdqJAOexsEVQKg3bBznVMAD594k4qLt

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\20240914_201432.mp4"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:3700
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500 0x510
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    64KB

    MD5

    987a07b978cfe12e4ce45e513ef86619

    SHA1

    22eec9a9b2e83ad33bedc59e3205f86590b7d40c

    SHA256

    f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

    SHA512

    39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    3dfe95cecb49f0773aaf219f86e6a569

    SHA1

    baf58f97fb2323b3f64c22ba2a5ecee7a864323a

    SHA256

    155d8d57aa5adeb4eb08c2be6cf6a3e4de136ea33f2728f7665a5d9c11ad3cfe

    SHA512

    f21c079c0844384b224df58c015e7a8f7e8f94098b529129330901ee4b2e7bd82ecdb7dfef4266fa28d605967dd4a3cd4718f44dfdcc52113ce7afe0e26a5926

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    106bc45e82c46db2af2c335e9995dbc0

    SHA1

    5164c5b871c016ee8dfddeaae131d7b1fbbf9b1e

    SHA256

    01747882f845bda32daebdcaed68a32cef1c975eff7e8b31ffd8366acf6b73ef

    SHA512

    95d4cba32edc998b7e0f4ced23c7cbee0ceec7fdb2d2e7ddbc36454863b58f200bed2bafd0b9db597e79e2d321dbf3348fa7b6e332f94e2250058c98715f4694

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    a1b6c47b9cc48bc3f48ca96ec78c1af3

    SHA1

    478615baf2dc36f18916cabb2ff7bc9ffe59d3c3

    SHA256

    8565696cc00472deb00b73c490ed81a6306506a3275736178919b62007062a56

    SHA512

    66ee188b12d9ace311f367a7a43fb78da382098e20895009c4fdb17916a352f368d34cdd5c6f3410c5524c96cecae03151655309470dab292e1b97318b49448c

    Download Submit

  • memory/3012-35-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-42-0x0000000007900000-0x0000000007910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-37-0x00000000078A0000-0x00000000078B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-38-0x0000000007900000-0x0000000007910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-39-0x0000000007900000-0x0000000007910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-41-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-40-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-33-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-34-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-36-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-57-0x000000000A810000-0x000000000A820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-64-0x000000000A810000-0x000000000A820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-70-0x000000000A810000-0x000000000A820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-71-0x000000000A810000-0x000000000A820000-memory.dmp

    Filesize

    64KB

    Download