4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re-Logic - Terraria Soundtrack - 09 Underground Corruption.mp3
Size

5.9MB
MD5

3cf04c05f3bef9e34e41529f308c83f2
SHA1

c3336cf78a1599eb3456aade7d6395ea0355d1c0
SHA256

59327c3fd7705714c2af5a397a5bf0efedbda59189ff48bd07e418dedf797e01
SHA512

ec7c7dd63c025ba3702a668c160000055c23bf7958a204ce4fb3af64b3db7f32a2dae7f2e194d2ab20a7ca2ea1dd9eaf7ac119e71796dcbea22947275a9a635a
SSDEEP

98304:8LBYMZCiYumNWp+4eoEGVi/BTkALgfNBjZuL6Eq1hUC1qRA4MFWRz1DqqPh/NtVY:8LBMVs6DDL4AmEEhvq69MRzNqGpNtVSd

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{6418E468-DC85-48DA-B914-A7CD5512E752}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2384	wmplayer.exe
Token: SeCreatePagefilePrivilege	2384	wmplayer.exe
Token: SeShutdownPrivilege	844	unregmp2.exe
Token: SeCreatePagefilePrivilege	844	unregmp2.exe
Token: 33	4172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4172	AUDIODG.EXE
Token: SeShutdownPrivilege	2384	wmplayer.exe
Token: SeCreatePagefilePrivilege	2384	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 5048	2384	wmplayer.exe	85
PID 2384 wrote to memory of 5048	2384	wmplayer.exe	85
PID 2384 wrote to memory of 5048	2384	wmplayer.exe	85
PID 5048 wrote to memory of 844	5048	unregmp2.exe	86
PID 5048 wrote to memory of 844	5048	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Re-Logic - Terraria Soundtrack - 09 Underground Corruption.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
563088ad0f20fabf9dd62c6ba8ae1636

SHA1
f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

SHA256
eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

SHA512
8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
87e97393e62fa42f452ffe9b060f67e2

SHA1
85d2f1cd8b9c58a008c665b2bccdc323610fa5c0

SHA256
da4bcbd00e4aae933ddb6f9c7272c7dd6db6f1bb1b9f2c255f65b844ec9aeba3

SHA512
bdf92ebf883b31afe3a6a2a4d0929df0d54f867732aacbf5efd5f427683e2ac8edce90f121a07cfa4593ad5f42acca2c63783a85edccfa024a0b28882ed2527d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
a705fa843b299eebd85eeed73d00c4b8

SHA1
f7dac98c3fbc833db915c8a75a974819fb927736

SHA256
3db120fa1b02ae4d23a31c2fed619f33f0505cdb3cdefa7707c69fb4b843a81f

SHA512
1a8f27cea067a11fb7166e6236772b420c061afc5d51661879382a1cd06509adc8873ebc2e2e89c0910d2003f6aba0dc35ccb9f88471e34543e6bf33df6eee6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
54e4cf0dbe44ffa83e6511f15ab92627

SHA1
ea03c889be0c3016acb84c58d077694040f2b1da

SHA256
e2e4cff62ee369ac0b769aeae3a0e2b62ea6c485bfc2cdcd6fdfe95bf398a05c

SHA512
fb0c5e132cd2a15faa6dc88087f222d2cc3f50ecfb44f588df048a5a049e4dbd797a41dd5c24a5547932427e3eb16020224b1c2f69fae129396a326abbe7bf33

Download Submit
memory/2384-28-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-30-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-31-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-29-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-33-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-32-0x00000000047B0000-0x00000000047C0000-memory.dmp

Filesize
64KB

Download
memory/2384-41-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/2384-43-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-45-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-46-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-47-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-50-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-51-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-49-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-48-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-53-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-54-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-55-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-57-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-58-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-59-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-60-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-62-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-61-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-64-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-65-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-66-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-67-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-68-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-71-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/2384-69-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-70-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-72-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-74-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-75-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-76-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-77-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-78-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-80-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-82-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-83-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-81-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-79-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-84-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-86-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-85-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-87-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-89-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-88-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-90-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-91-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-92-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-93-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-95-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-97-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-96-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-98-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/2384-99-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-100-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/2384-101-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-102-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-104-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-103-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-106-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/2384-105-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download