4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14

Analysis

max time kernel
140s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re-Logic - Terraria Soundtrack - 01 Overworld Day.mp3
Size

5.7MB
MD5

256d635c2022057c4e4ac300f2ddf810
SHA1

d174e7b77d1e64196ea0a947ea68ff4bbe0c303a
SHA256

51faca3e7cb2e8d9d41350a1eaa874c6c7e925859c22d4c1fe2882dff3c85ed9
SHA512

9d4c8dae941ffd3674460ef77e579a08374d61b29b56a5d1a3255a7288d9dfb364a27082783cf164e24f6c089c1a523ac8e78f63736828ddf65ed92f92e88f03
SSDEEP

98304:9LBYMZtW4uBqB0mleXGDjeRYLL/hVV8W0bFTzy3l5hhSfFQHQU2oya:9LBzcBqBJeR8L/VO45XaFQhua

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{5526DFB3-DA49-4AA6-A424-5AE3EC67E5F2}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2360	wmplayer.exe
Token: SeCreatePagefilePrivilege	2360	wmplayer.exe
Token: SeShutdownPrivilege	3948	unregmp2.exe
Token: SeCreatePagefilePrivilege	3948	unregmp2.exe
Token: 33	3008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3008	AUDIODG.EXE
Token: SeShutdownPrivilege	2360	wmplayer.exe
Token: SeCreatePagefilePrivilege	2360	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2436	2360	wmplayer.exe	85
PID 2360 wrote to memory of 2436	2360	wmplayer.exe	85
PID 2360 wrote to memory of 2436	2360	wmplayer.exe	85
PID 2436 wrote to memory of 3948	2436	unregmp2.exe	86
PID 2436 wrote to memory of 3948	2436	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Re-Logic - Terraria Soundtrack - 01 Overworld Day.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
29bd18035ac3468ed8ee41ba90d66f22

SHA1
36e76825c5aff3f599ec16a85b14ee487595a69d

SHA256
eca587e1d30a5a9c65a7f3d69272ebc2890a0ec954d1ee4ad7d5ac45bd95ddc8

SHA512
b1b8a231de045c227d430c9edd5996b882153fd848fc319ba2dfbfc7aa309bce8a3551889f735f6de6d6fdfc09a1ffad4dcb4fd7ff2d4017eeb2c97f7a83f7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c185962d10c3cf654380b8071a722b99

SHA1
8b115b79c5fda3c7579c7f7588952abfb3100328

SHA256
4a740a4802934330f9cb72b58141db13834b2f35c945e57dc62955e8f7c856f4

SHA512
bd447212c072c5720919570e07c1a0c796b774e4ce735f44d60f75e2f440b9c4a3648d97fd95a1b64e15a9a02b078f11387d3e166adb03da956bf3ee526b789d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
31bc50e16c691f67ecd708117d175332

SHA1
d7bd76e8b7a2881fcf659f9a7e43354bcce39f64

SHA256
465d546d41847cd0f168732539a4e8def582a1c2490d0927ac284e854c2ad54f

SHA512
eddaf00ee7d1f3ad6807d0bb73ccdaa2e593cd47d9694f9e1ec2b744c4ff8f615d6255f06203cbd66221dfd88faa02a8d322a477c5fad069254fd1ac86486941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
38e3a047d4588780bef93b999d651b8d

SHA1
a8c1af44a91aa475c32fd1ed0362ed888d752f79

SHA256
9b742d5ee09ddeaf599069c97aaf3877eb25cbf43a149024ae1e5cb2b5151d93

SHA512
655bda9b8b151fe18a1f96e91a1f4c8965fdf304dc72acd8fdf0187a90880f0bb8c43bcaecf45de9e23ffec36427ccde05fbd8817fe798b228fa3d3b4f0e6201

Download Submit
memory/2360-33-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-31-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-36-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-35-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-34-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-32-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2360-52-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download