834124384a723d5a8fa04bc80fdb951ef8513b71cadd3ed874516ff1a6c28094

Resubmissions

21/09/2024, 16:16

240921-tqv2ga1end 6

21/09/2024, 12:30

240921-pppe3sseql 1

Analysis

max time kernel
272s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

I Hate Punchmade Dev.mp3
Size

3.6MB
MD5

25a11be1889331b3be5d62c2afa67f47
SHA1

40e51c24361aeda5a2be58016e2da34b21d0cbff
SHA256

834124384a723d5a8fa04bc80fdb951ef8513b71cadd3ed874516ff1a6c28094
SHA512

cae3b88a659926155690feb31f7c186deb97be3285f1d3048f0334641cf2dc595366a422d41efb2c732a5c01d868a8649feecccc2945f768c54791a4be523444
SSDEEP

49152:+1awyiSClkJCcuxoJUow4/woI82MEih/guCF0/B+iIq+/ilq+ReIO5Mt2ld4G30L:0AoVcDJ28w6/vCF77ilXdODP4Gk7t9bH

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{B0A726C8-F856-4221-8DFC-ED401670EA3C}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3928	unregmp2.exe
Token: SeCreatePagefilePrivilege	3928	unregmp2.exe
Token: SeShutdownPrivilege	2356	wmplayer.exe
Token: SeCreatePagefilePrivilege	2356	wmplayer.exe
Token: 33	3220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3220	AUDIODG.EXE
Token: SeShutdownPrivilege	2356	wmplayer.exe
Token: SeCreatePagefilePrivilege	2356	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2356	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3208	2356	wmplayer.exe	84
PID 2356 wrote to memory of 3208	2356	wmplayer.exe	84
PID 2356 wrote to memory of 3208	2356	wmplayer.exe	84
PID 3208 wrote to memory of 3928	3208	unregmp2.exe	85
PID 3208 wrote to memory of 3928	3208	unregmp2.exe	85

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\I Hate Punchmade Dev.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
adbd8353954edbe5e0620c5bdcad4363

SHA1
aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6

SHA256
64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55

SHA512
87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
0fcf5333911fad6a2ed956e7eee9edd6

SHA1
d808fbf59952d2f29d1cc9dd1d5277f43bc4b4ed

SHA256
c57ebd50f59f9c4824c762020fd4c02c61a1eabfd06250219a9d80c82b751c88

SHA512
5f46a93ffe60f0f507563c49765788a8b9c84cc088c89990321f6b2d96090e5b4dae351f6ed4205d27b42d8bb612e41cb223dcf05f98b94a9eee59d552b63c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
5064a275316a4407b2208e68bcf0cf32

SHA1
db6822405ff952676fcab6189d5b82e1b055ffc4

SHA256
cdec97f8907244ac6690c600171c91eb083a7a14c15918dd8ac52e20dbaf1b2e

SHA512
253a38b465eac45d3ab0c65fca418ed5ff2c35cacfce01c9a9a7130fb065f4d79001bca50d1a2835bfe67dc81c9cb228c8ae485a290023cde11236b936f8d726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
34f4f12a70d939588f1a6baebdd7371a

SHA1
c57b878f1dd609d3138bb5522715da3ebd5c1da2

SHA256
e1bdec1b7502d730e081768382a7a222947322802dba220b889481c5b79b896b

SHA512
cba6831ab6da4c9ecbcdebd47e6c9c748cb82d227eb0d1ccbc60df43abe33eea423fe29ad2e3ac63fdc8f710a494b5394f2733c978c51d937e242497878fa001

Download Submit
memory/2356-28-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-29-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-27-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-30-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-32-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-31-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2356-38-0x0000000009050000-0x0000000009060000-memory.dmp

Filesize
64KB

Download
memory/2356-40-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-41-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-42-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-44-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-45-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-46-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-47-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-48-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-49-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-50-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-51-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-53-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-57-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-56-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-58-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-55-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-54-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-60-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-61-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-62-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-63-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-66-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-67-0x0000000009050000-0x0000000009060000-memory.dmp

Filesize
64KB

Download
memory/2356-65-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-64-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-68-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-71-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-70-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-72-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-73-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-74-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-76-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-75-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-78-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-79-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-77-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-81-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-83-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-85-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-87-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-86-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-84-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-89-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-91-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-90-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-92-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-93-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-95-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-96-0x0000000009050000-0x0000000009060000-memory.dmp

Filesize
64KB

Download
memory/2356-94-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-97-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-99-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-98-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download
memory/2356-100-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-101-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-102-0x0000000009150000-0x0000000009160000-memory.dmp

Filesize
64KB

Download
memory/2356-103-0x0000000009140000-0x0000000009150000-memory.dmp

Filesize
64KB

Download