54b477d409236424476bcf5e35498780864e1c0dc07e346440d3558946756425

Analysis

max time kernel
28s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 08:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

goku_dancing_1.mov
Size

1.1MB
MD5

34a8bef1dbc4891eec67e06072cf5c2a
SHA1

d8ca7142c88e37495a15d44fe07acde166158f6e
SHA256

54b477d409236424476bcf5e35498780864e1c0dc07e346440d3558946756425
SHA512

a285137f02ec0dafb37afd068ae854ab9049854922f07b8082e14eb241678f0e477971538b4ad4457e02a115c45f5cafa29caf9fbbbfc76151dea9e6cd1fd50a
SSDEEP

24576:H04PMbm3f/eCm98Jmu6FPNCrh6OAioM5i:H04Ubm3+Cu8JMvwkUoM5i

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{E324B257-8DB0-4D1F-B472-30183B922900}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	wmplayer.exe
Token: SeCreatePagefilePrivilege	3444	wmplayer.exe
Token: SeShutdownPrivilege	3704	unregmp2.exe
Token: SeCreatePagefilePrivilege	3704	unregmp2.exe
Token: 33	2712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2712	AUDIODG.EXE
Token: SeShutdownPrivilege	3444	wmplayer.exe
Token: SeCreatePagefilePrivilege	3444	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3444	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 64	3444	wmplayer.exe	82
PID 3444 wrote to memory of 64	3444	wmplayer.exe	82
PID 3444 wrote to memory of 64	3444	wmplayer.exe	82
PID 64 wrote to memory of 3704	64	unregmp2.exe	83
PID 64 wrote to memory of 3704	64	unregmp2.exe	83

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\goku_dancing_1.mov"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
22459d81d48fcf064f867bbe3295e56b

SHA1
0eeb13a0fe6fbab2ea00179a79b938643fb681df

SHA256
64a236855aaf9afa6fde312fab4e851580aaac9ee94e30d3bb597226ac9c8487

SHA512
97fd2e8df3008e666208cbb3c0e527d50952e828a4d3f0e4af25f621e9e09168fc024b16d9f8ad125f754aeb67c63be5810fa6ec8613a5515af4223e6335fff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
ca9ebbe52d9db2844017012715a04187

SHA1
42537b49886149dbc233b7af4db19d80e1042698

SHA256
d50f4f75bcb02d4c188b6254e9f9c2c62dc0901186454973c5fbf699d0079777

SHA512
d79c6cd88823de87f3f6f72789fb445d280fc48fa799007321efeaf1a681ee5d0310910fc46b3bdf32b4b1c38d275b7603215bece1001fc4b3598128d6831932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
525b584a559397db7369f8c7d68050f9

SHA1
7ded6a9cd64cd250bfa60c623463d71916b24aab

SHA256
26a124b22a1551084766515854ade79fbee0be5d3ff55ce129e084f1318bcad1

SHA512
1bbb991bbb8f0d1047680e13b65a009d82d7961c1d614125b9aec75e064141c1eb18068169e20069a05e81dd55946ca5de20430286a4c16d2469b5cae17e3933

Download Submit
memory/3444-31-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-34-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-33-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-32-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-37-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/3444-38-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-39-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-41-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-40-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3444-42-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-49-0x000000000AC00000-0x000000000AC10000-memory.dmp

Filesize
64KB

Download
memory/3444-50-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-51-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-52-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-53-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-54-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-55-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-57-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-59-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-60-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-58-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-56-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-62-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-64-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-63-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-67-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-66-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-65-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-68-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-70-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-69-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-71-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-72-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-75-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-74-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-76-0x000000000AC00000-0x000000000AC10000-memory.dmp

Filesize
64KB

Download
memory/3444-84-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-87-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-89-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-88-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-85-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-86-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-83-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-82-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-80-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-79-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-78-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-91-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-94-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-95-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-97-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-96-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-93-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-99-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-101-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-100-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-102-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-104-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-105-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-106-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3444-107-0x000000000AC00000-0x000000000AC10000-memory.dmp

Filesize
64KB

Download
memory/3444-108-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-109-0x000000000B520000-0x000000000B530000-memory.dmp

Filesize
64KB

Download
memory/3444-110-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download