4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14

Analysis

max time kernel
140s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re-Logic - Terraria Soundtrack - 06 Boss 1.mp3
Size

5.6MB
MD5

c5cfc965e54e040d4ed15d1035aa4b22
SHA1

dee12b931e78ac348df087b4b701a7d1075d2a11
SHA256

a2bf8a9b769843a8abec58554c7337fa238411307d51601667b714a37ec1ee8a
SHA512

8f62f547eb4c0f23981b1c2d5f287cd76f67e5b9dd4b42cb0e21f11f346e5c1e1fe3689b40ce5371c58de8ccca3093b5dd8d1592603912989db85aef69e0c1c1
SSDEEP

98304:2LBYMZb78cRuIokvQDfTWfn9/sPDyew4BHOApaiOSv3zx/Tm0H79ZC08S/3qci:2LBh8sQDfyV2y4BHBESVX5Zx8Syci

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{8EA60DD3-D5F9-466C-9E19-95A19124D88B}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	wmplayer.exe
Token: SeCreatePagefilePrivilege	3004	wmplayer.exe
Token: SeShutdownPrivilege	3620	unregmp2.exe
Token: SeCreatePagefilePrivilege	3620	unregmp2.exe
Token: 33	3700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3700	AUDIODG.EXE
Token: SeShutdownPrivilege	3004	wmplayer.exe
Token: SeCreatePagefilePrivilege	3004	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1624	3004	wmplayer.exe	85
PID 3004 wrote to memory of 1624	3004	wmplayer.exe	85
PID 3004 wrote to memory of 1624	3004	wmplayer.exe	85
PID 1624 wrote to memory of 3620	1624	unregmp2.exe	86
PID 1624 wrote to memory of 3620	1624	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Re-Logic - Terraria Soundtrack - 06 Boss 1.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d8 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
768KB

MD5
3d62e3f72f600de89d2574e8568e0d37

SHA1
d90ac9cd9e6692e5cd23fd53173e6bc50738bdf2

SHA256
de70c861a550934232e1006891d47566e20a219b16f97856ff60238de31d142a

SHA512
0bac4d2bd9c80ab0e268b40626653a6c19c51bff15f249064c0a20b4759a6ae329dff9d9a93098556ed055dc8233b48a106bd205649320299b70df85ebd0a08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
f3fcee5debb95a81e17b0e3d2f1329c1

SHA1
f1e3acba6be7dc14d99c5419160737cee3404f2b

SHA256
a0e642752bf5537c181483da1c9d424e57e9d9f59829b40120772952d4502ae8

SHA512
9c5a9a417ead9261b4327f62c274b4522d42c05d8a8795a2296c318c04562609eaeecafed3d5e609e682b4a0d649144507829aeed8e8342185dd6f1a2d1357b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
a19faccf2ef74671049757f39a2e69b0

SHA1
81e4f501fce43130d9c4dce34ceaf20a94df19b9

SHA256
4e6e76dc9f00143ebf86f43b212c6ee4b3754c2847b4e292c2314fd32157eff9

SHA512
6aa125c69f9af851e363083793869b83f962f649b9bf3d9e6f5e4d570b68d689c836d01bd83b3fccccebc9abaf1a5a691284881a900c8168b1054c36ee7bec28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
f0f3836dec09ece60a4bcb63b38e70ea

SHA1
8366613796fc80f03c87c290882590a6b9a35c67

SHA256
d2cbd8923164af01f7c4a0655602e0fabef1ab48aa883e2b3de9e83c54c66e8a

SHA512
9bab07baf948b0b8379caaa93f716f59403761e980afae4df50be5c371b1d880db2447113ba30400944eed2c460f75a07f0f4fbc6b7129f160a7e454a340e80f

Download Submit
memory/3004-28-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-27-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-32-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-31-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-29-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-30-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/3004-48-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download