a69ba03a6a908821c6783ab21252ad82272e2219bd4701ac6373901ebcd35535

Resubmissions

09/10/2024, 18:44

241009-xdlh2swbnc 6

09/10/2024, 18:43

241009-xc1lkswbmd 1

Analysis

max time kernel
145s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ther.mp3
Size

4.8MB
MD5

caf2e7bf786d09b60c352d6067623577
SHA1

24a1a384376d53aa08308d54c51b8ad5be030b8f
SHA256

a69ba03a6a908821c6783ab21252ad82272e2219bd4701ac6373901ebcd35535
SHA512

0580fc7c0e4591e4982c9a68af326ca702859b0dfb6341dc745430569592ec22fa68cc0074158fac91f4141bf2d03f5ff30d48a484c45d86f88339dff343effe
SSDEEP

98304:O5d2bKKUkII9D6wiseq6KZmJGYycMKu2QiuK3nX2LMz32wR8e0PrwDHatdwjc7tN:w0Nz9qJqsJGXkQy3X2wz32e0TwGzwI7b

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{00DCB0F2-5AAD-409E-A974-ED86CE2EBE77}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	unregmp2.exe
Token: SeCreatePagefilePrivilege	3216	unregmp2.exe
Token: SeShutdownPrivilege	868	wmplayer.exe
Token: SeCreatePagefilePrivilege	868	wmplayer.exe
Token: 33	1036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1036	AUDIODG.EXE
Token: SeShutdownPrivilege	868	wmplayer.exe
Token: SeCreatePagefilePrivilege	868	wmplayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
868	wmplayer.exe
868	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1372	868	wmplayer.exe	85
PID 868 wrote to memory of 1372	868	wmplayer.exe	85
PID 868 wrote to memory of 1372	868	wmplayer.exe	85
PID 1372 wrote to memory of 3216	1372	unregmp2.exe	86
PID 1372 wrote to memory of 3216	1372	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Ther.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
ed6403a9e04010f1dec738de07aa712e

SHA1
1c106b90e799899f7b7d87430272720f05a47b2f

SHA256
65ac91d9fa770fe2025fa0866dcdbad3a33087f3aa7974150ad0d6d0c2b87432

SHA512
1ac9e6c73f062b10b5af5abf4131827ef347ecaf2295168d2f0ff92a03513a97634a2dcc0dbad40cd4427446fc76673749bbea4988eade919608d174117654b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
af470a3851a5cacb18105b7834592ea8

SHA1
12a029ec1c572404e1018786016d9810566378cf

SHA256
3fcb27d865b01439d3e83a0cabdd3af1c22011de04a7ed40283d31a205b5e4a0

SHA512
0802feab65b0447304c226534ec46c1141123da00f07cc47817c3305d6c3a3587c315bf4050d957787ea47d94a06f77fddb495c29f7e4a80e7785654715d9059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
25fbe8c119a04f6613da383f311c42e7

SHA1
eca2fe759ce5ea1c5c893e74ac99c8b0ef585dc8

SHA256
8180c4f467211deb5fff40be455933df5371500502890789daac008997d6b5e9

SHA512
e8a8d505d181de60bd3e9e5487c8d94216e2b306a85339d5d72e8aec2555e0e3a688e2173542b763569671db1bf866217136e4d7ae72664ee70a869cb4c126cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d1fe0a0f7d4a9baebdd5f0bd87a7abc2

SHA1
6e0a0a3f34310e01507930569cbd3b3ff67b6f7f

SHA256
e214f64c9764a953423a8bc12b816d855a2ee9201b9b1afbf3efd03b7aa960a0

SHA512
80eb44acf21aa50f284ce68c4b86965483f6e5eca07d13d4c0cf8080fc78860579237e1d0aacd598cfc17f38682b2859d212b1d99b6beb66ba1f313061b4ab44

Download Submit
memory/868-27-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/868-28-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/868-30-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/868-29-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/868-32-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/868-31-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download