f951a36c7c6485239857f9a6ce836936cba6411641ceee73918ead728ccc588f

Analysis

max time kernel
1798s
max time network
1612s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-09-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Video Tutorials.mp4
Size

9.2MB
MD5

503afd7b487aed76e280a231800e84ee
SHA1

4808d5b0b33b17d25e6076e96cae966626f25a86
SHA256

72948de9c5941a4ce1c4df3607ba8a3d0bf753d62be4372aea98e3e381065c91
SHA512

8362dff89a5e467cc44faff7789befd05ffedf85b9ca9ed31361dee319fe2b9f6699158686e3361b134828452aea64aeff3197d856e7e49bc68c1c9fee9168bd
SSDEEP

196608:YmSxBhNuVkEphUqGD/rG7a/LUaDf+6cFM7VUXNoPipOT9+6dN2v8xT:Y9u8y7mLU0+6QMQNbpOTp/5xT

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_wm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3940	unregmp2.exe
Token: SeCreatePagefilePrivilege	3940	unregmp2.exe
Token: SeShutdownPrivilege	2736	wmplayer.exe
Token: SeCreatePagefilePrivilege	2736	wmplayer.exe
Token: SeShutdownPrivilege	2736	wmplayer.exe
Token: SeCreatePagefilePrivilege	2736	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	wmplayer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2088	2804	wmplayer.exe	73
PID 2804 wrote to memory of 2088	2804	wmplayer.exe	73
PID 2804 wrote to memory of 2088	2804	wmplayer.exe	73
PID 2804 wrote to memory of 864	2804	wmplayer.exe	74
PID 2804 wrote to memory of 864	2804	wmplayer.exe	74
PID 2804 wrote to memory of 864	2804	wmplayer.exe	74
PID 864 wrote to memory of 3940	864	unregmp2.exe	75
PID 864 wrote to memory of 3940	864	unregmp2.exe	75
PID 2088 wrote to memory of 2736	2088	setup_wm.exe	76
PID 2088 wrote to memory of 2736	2088	setup_wm.exe	76
PID 2088 wrote to memory of 2736	2088	setup_wm.exe	76

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Video Tutorials.mp4"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Video Tutorials.mp4"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Video Tutorials.mp4"
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2736
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3940

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
f19cbc0fe6f95513f453d8c1d0bc0a43

SHA1
fe40eec93c9f2bbae036667757c786583a028592

SHA256
4360d972da47246e9f52a016a2f2c1a43e101cb10f7203f9ab489de34c50011f

SHA512
6ff6fe4cc24f6bf89c4ba432abe506c0c3ea54eda519ce5f8ba94ecf01148e5f6c05924a5fee483af043e7acde745b20f851f991f5d1fd291c715e7ccdf88541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
605f99d7d218e5f706d5c4092b883da5

SHA1
8d6df5f84bcb50b4d08f94d4068cdb889f7be685

SHA256
e314ed09368cf9d495963b69f4fb373ab32ce1e6b99d5bca995015548cd4d2ec

SHA512
63b2b6d450ebd424bac0d8d3b978b5d91cddd11662943fc7bfdc53c97c2462355a265c385fdd2cd2fc5ee3bc3b738e7729209be8b4e6679e4a06b410e1ffb86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
54391214283d0b47ab8886853a1c2156

SHA1
cb4c481aa928c556f6b808047373d21702d7867c

SHA256
72a73bdacec67b06a99d3b2a5db807bda64461b13c226817780b47a8eab1ef2a

SHA512
2610eb8bfa2cf1de03405d75c4bec7194bf54eeba73921216b6aba48a5032af1951fb612166853935a5a039b2c518a00f83e3a80a2af28c783461e0284a87335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
3157f1c34c0e1a3b65a8e3d9fbc00314

SHA1
23e48522c8d02f381a4be96f565beed8dac8450b

SHA256
0c24ad2f4734e6b88963b754d11b39cb19bdc388d595f47021a4dd063c12cb64

SHA512
08831d3120c89f5af5ac9101c5de0ef9ed0a449f099e9aea2fa32af41ac72917d4a2c8984132729448d582d32310719e6c4a87831cd57aac9c54d02676918112

Download Submit
memory/2736-40-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-43-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-42-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-41-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-46-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-50-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-49-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-48-0x0000000008080000-0x0000000008090000-memory.dmp

Filesize
64KB

Download
memory/2736-47-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-56-0x000000000A810000-0x000000000A820000-memory.dmp

Filesize
64KB

Download
memory/2736-57-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-58-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-59-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-60-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-61-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-62-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-64-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-63-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-65-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-67-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-66-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-68-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-69-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-70-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-72-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-73-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-71-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-75-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-76-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-77-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-78-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-79-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-81-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-82-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-83-0x000000000A810000-0x000000000A820000-memory.dmp

Filesize
64KB

Download
memory/2736-84-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-86-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-85-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-87-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-89-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-90-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-91-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-94-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-93-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-92-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-88-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-95-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-97-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-96-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-99-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-100-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-98-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-101-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-102-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-104-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-103-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-107-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-106-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-105-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-108-0x000000000A810000-0x000000000A820000-memory.dmp

Filesize
64KB

Download
memory/2736-109-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-111-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download
memory/2736-110-0x000000000A910000-0x000000000A920000-memory.dmp

Filesize
64KB

Download
memory/2736-112-0x000000000A800000-0x000000000A810000-memory.dmp

Filesize
64KB

Download