d8da1e2c97564bd38c7a4ba4b48c332bce8acec48c0a0fd307758d82f793c8c1

Resubmissions

27/09/2024, 19:17

240927-xzjlksvemr 6

27/09/2024, 19:13

240927-xw9zcsvdqp 6

27/09/2024, 19:09

240927-xt6txsvdlm 6

27/09/2024, 19:02

240927-xp9p1svclk 6

Analysis

max time kernel
123s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
27/09/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Daisy's Destruction/Videos/daysy1.mp4
Size

21.3MB
MD5

7e946fdb75f636287da768a11a1daee5
SHA1

c30f51a459967821f8bb99af1f4253bbe3bb93a8
SHA256

53b27d0adccb02a76cc5ce96d07fe7c370b1c2d4bd57def8e6871c5b04b49458
SHA512

f7c3158aee0bc06bef99f3ed0f23435cdf8834a34d63b8d1ab63189e975329b33e4db2f45a5bfc16c6d6771259231b83c304c6ea7d5d1e022aa121b57b9ed424
SSDEEP

393216:F7iVoISw0XznK1YkFva7Z1RbNNfoRW2/PBdvMgnOk5jZ5xqtjcazd8wCdxrDMdcy:FuLIiXa7Z1unPfnOitnSOdxkdcy

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	wmplayer.exe
Token: SeCreatePagefilePrivilege	636	wmplayer.exe
Token: SeShutdownPrivilege	2556	unregmp2.exe
Token: SeCreatePagefilePrivilege	2556	unregmp2.exe
Token: 33	4552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4552	AUDIODG.EXE
Token: SeShutdownPrivilege	636	wmplayer.exe
Token: SeCreatePagefilePrivilege	636	wmplayer.exe
Token: SeShutdownPrivilege	636	wmplayer.exe
Token: SeCreatePagefilePrivilege	636	wmplayer.exe
Token: SeShutdownPrivilege	636	wmplayer.exe
Token: SeCreatePagefilePrivilege	636	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
636	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4672	636	wmplayer.exe	70
PID 636 wrote to memory of 4672	636	wmplayer.exe	70
PID 636 wrote to memory of 4672	636	wmplayer.exe	70
PID 4672 wrote to memory of 2556	4672	unregmp2.exe	71
PID 4672 wrote to memory of 2556	4672	unregmp2.exe	71

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Daisy's Destruction\Videos\daysy1.mp4"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:1716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
98df921f667bf303621c789390ed9f2e

SHA1
d9c82e51534cf1c2eb5a255286de6a09ca364d1a

SHA256
8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

SHA512
58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
bd32f5586a5d5eaab284d4a18dcd0d61

SHA1
fc0499460d0b3fd91cf86e8c035705d3f5244b49

SHA256
88c7ab21d71dec4c99374c8be1775379c63aec1c4e1580a3d1009b424bc25e02

SHA512
f8d7706cf948c48392984e49cb586c97568f48524018e314f8f6b7cbc46f3194786b8574c7abe1b1035b7bfc12232442199a439946e832c71e26ae01c1d8bd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
f47bda0953c85050546b11b8f3c13f42

SHA1
cdfbec3694922b71f6a5ea7a0fdb5b8ce9c26d6d

SHA256
6fe9336162e1160b8c55c5b67de0e93e357fe3031f62a069691ca720ebc5296f

SHA512
a41fab75095bed6c8b78e9edb3e5efe7ecd59d469fd37fb06ca0ad9ed65cd660052efc6dc5e41f94089b5945e96f5dd10f976c974c5a43343b59e825340b7492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
10ea78aa0d48466b3e369c924279fed8

SHA1
510ce333bee1f4ac090b5dd120bc401d2e89f044

SHA256
92a2701262a681a544642f4d0ce493d29f285f312f07db1c02eae47bcfce8d73

SHA512
e94c45c9d2cc59e2c9e48668f3a099779c8db0e9364cfce87c785b22902b28bb3135334e860795ca294b40bb097d0d38139039dd0385cbd9401ed1ee476781d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
fae385a46444ba743debc85948e401f5

SHA1
311b2aca560143aaafdf9121a8b66d8169dc16b7

SHA256
0fac8606b3570f30304c543ed7eb329cd7b960a3ed60dc0d9563e991f447e21f

SHA512
6fd6feb7790aaf5370407f423c52b455e122f812a0db45d171877d3c7fdd753b361223864920a61d375722fa36f0e6d95f3a9e3f0ea972229a70b61d10a5054f

Download Submit
memory/636-40-0x000000000AC60000-0x000000000AC70000-memory.dmp

Filesize
64KB

Download
memory/636-34-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-41-0x000000000AB00000-0x000000000AB10000-memory.dmp

Filesize
64KB

Download
memory/636-42-0x000000000AB00000-0x000000000AB10000-memory.dmp

Filesize
64KB

Download
memory/636-43-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-44-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-47-0x000000000AB00000-0x000000000AB10000-memory.dmp

Filesize
64KB

Download
memory/636-36-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-37-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-35-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download
memory/636-60-0x0000000006240000-0x0000000006250000-memory.dmp

Filesize
64KB

Download