d8da1e2c97564bd38c7a4ba4b48c332bce8acec48c0a0fd307758d82f793c8c1

Resubmissions

27-09-2024 19:17

240927-xzjlksvemr 6

27-09-2024 19:13

240927-xw9zcsvdqp 6

27-09-2024 19:09

240927-xt6txsvdlm 6

27-09-2024 19:02

240927-xp9p1svclk 6

Analysis

max time kernel
147s
max time network
134s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-09-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Daisy's Destruction/Videos/daysy3.mp4
Size

26.7MB
MD5

4067501d3966c982fffa2cca7be4620f
SHA1

9cae0a9fe9099c770432a5da9088ab828f0b52d1
SHA256

fdeb24efd395dd182cb981b3ff052428f8ca599d6c23b639d6c05e7d3eed2b5c
SHA512

737e1ae07012799d0352163d7ec19fbc2203363de5ef2edd6452c5fdd9cb3d510b9ff0ce7a97d03860cebd0eb37ca8cc8703b780cef0293ddf01d6bfd2f7f2a3
SSDEEP

786432:4kgNelGmhjoa20vrQ0QBsqS575bMDfy/rGS:JgoHhEapM4qSllufy/rGS

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_wm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3548	unregmp2.exe
Token: SeCreatePagefilePrivilege	3548	unregmp2.exe
Token: SeShutdownPrivilege	2396	wmplayer.exe
Token: SeCreatePagefilePrivilege	2396	wmplayer.exe
Token: 33	4544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4544	AUDIODG.EXE
Token: SeShutdownPrivilege	2396	wmplayer.exe
Token: SeCreatePagefilePrivilege	2396	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	wmplayer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4964	2856	wmplayer.exe	73
PID 2856 wrote to memory of 4964	2856	wmplayer.exe	73
PID 2856 wrote to memory of 4964	2856	wmplayer.exe	73
PID 2856 wrote to memory of 4304	2856	wmplayer.exe	74
PID 2856 wrote to memory of 4304	2856	wmplayer.exe	74
PID 2856 wrote to memory of 4304	2856	wmplayer.exe	74
PID 4304 wrote to memory of 3548	4304	unregmp2.exe	75
PID 4304 wrote to memory of 3548	4304	unregmp2.exe	75
PID 4964 wrote to memory of 2396	4964	setup_wm.exe	76
PID 4964 wrote to memory of 2396	4964	setup_wm.exe	76
PID 4964 wrote to memory of 2396	4964	setup_wm.exe	76

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Daisy's Destruction\Videos\daysy3.mp4"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Daisy's Destruction\Videos\daysy3.mp4"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Daisy's Destruction\Videos\daysy3.mp4"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2396
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3548

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
0e807656bd86f2aef7ccf207f963973b

SHA1
27052af8d103d134369e356b793eb88ba873df55

SHA256
c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162

SHA512
e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
08ea7c1b5ff52d081d8252855cd28667

SHA1
aafe2e86d9983f8f16f7f90f49949baedd3ec82f

SHA256
445211e69397b8323c6e8c14299c3c2e50a42b280943e30b7bc28ac47b243d22

SHA512
7204a9a9cc14b4b7d47eaa30903ee37f5b7b5c34fe70763e838e9b2f476738e4af8aecea106fdc3999947c1dbf72065f9030767858904565a9ec015ab1318858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7346a6c94534bc89c1c8654a0ac642e4

SHA1
75c1325e488475e3959c8839f54b5d51bd63e550

SHA256
d92f44e34cc72b2e3f80cf007c00f4bfca295410ce926c236b99e4bc787508c3

SHA512
6521242fce2fed423206b58b663e006a08dc4fe9b59ba3acb0cb0e84988666690c745e11fbc7e29b327c7b85d5bb0ed72743719f52687fe2b0cf0a553b81a935

Download Submit
memory/2396-42-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2396-43-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2396-41-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2396-46-0x000000000A4D0000-0x000000000A4E0000-memory.dmp

Filesize
64KB

Download
memory/2396-47-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/2396-49-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2396-50-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2396-48-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/2396-53-0x000000000A3F0000-0x000000000A400000-memory.dmp

Filesize
64KB

Download
memory/2396-40-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download