4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re-Logic - Terraria Soundtrack - 11 Boss 2.mp3
Size

5.0MB
MD5

b2d0418f8d7b088cfbe23fa028367918
SHA1

02e4a8daa37aaa1a99c86583249c8d6e542e0900
SHA256

61fa7f177d998e47fe9869d48c243d119ae3f670dac4ae5224e78b7fef8d6752
SHA512

4600a1804f7a04b655d50dddafe4f801546db23a4302d388a56ffb60e4e11fcf37bbba521e06cdd91ef9c29769f5493dbf3efffd2e64a50cf892e57d41fe7c30
SSDEEP

98304:ELBYMZ24MDaVCLVJXgkf3c4lDfP7sbfes0hExFKsTIzy39Jjc4jdroS3bxACy//:ELBYDa+V+u3HrQisK6Ks+y33c6dOr/

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{28C21F97-0174-4B61-90FE-BBA6CEF50835}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	184	wmplayer.exe
Token: SeCreatePagefilePrivilege	184	wmplayer.exe
Token: SeShutdownPrivilege	3220	unregmp2.exe
Token: SeCreatePagefilePrivilege	3220	unregmp2.exe
Token: 33	1568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1568	AUDIODG.EXE
Token: SeShutdownPrivilege	184	wmplayer.exe
Token: SeCreatePagefilePrivilege	184	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
184	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 3976	184	wmplayer.exe	85
PID 184 wrote to memory of 3976	184	wmplayer.exe	85
PID 184 wrote to memory of 3976	184	wmplayer.exe	85
PID 3976 wrote to memory of 3220	3976	unregmp2.exe	86
PID 3976 wrote to memory of 3220	3976	unregmp2.exe	86

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Re-Logic - Terraria Soundtrack - 11 Boss 2.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
6d37c77b1258c734cee5222fe9f54588

SHA1
1787bf68ba30bff360f599648e3fa703b05ab9cf

SHA256
0bff85979e3b8299ee9f3f89d964e5b16d7c0ab3945ba6396b07295a33cc026d

SHA512
04c5338a8f686aee2d43557258dccab9b57e0086c0ff834e8ba693b81b6058467e6c35206000de6ed847fc51fd2e3a2ddbc1b52586f006d0eb429fed097006fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
a791fbcd1d36aae513478b26b8b96213

SHA1
2cb55f7e09b21631cf85e2ad72dec8c500dc064c

SHA256
193a96ba5f153051dac294f4190d91865470ba1c8aecf98b9f8825ac17df0526

SHA512
abcd2da1d8b1093641729ccbd97a0959b378cee2c6c1eb1f26303b3be36bb32d435b4daeedbd7414ecfa44df8f59b499521de821a7bcb98cb5c5cc6ecb76e43d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
264b7524898be79c21d0ac1a10aba2bb

SHA1
2be6db4b03950b3c1dff3cd9f8ff0cdd4e7fcde3

SHA256
53ea36041be60b32a6641364e724c5311552cac35df9e72faf6f3c8a5c0844c6

SHA512
1699a07fa4ff27bf0e152e364717109577af4da81447154070e77a6a67906ff4600160bdef460a7434dff2f9fa37f5e3b76865fdf3e0ebdfd8ab2344f581d868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7b4d646a1e307f172aad7c7cb8e478af

SHA1
6c7fd3613a77dd982d105fd2db8a34c6cc0948ee

SHA256
69e7dcd9634a21e78809bcf2454fbe052120675a7a7ce291db2d49463fc731fe

SHA512
ae2aeb01f765b894e772021602faf0729b228f6a84308d21a01147e18a5e729fc3b99fcbfcdf1b8170b55d919b1d73b347049696044244b13aa2a6b245876f14

Download Submit
memory/184-32-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-31-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-30-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-29-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-34-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-33-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/184-39-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/184-41-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-42-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-43-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-44-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-46-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-47-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-48-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-49-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-51-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-50-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-52-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-53-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-58-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-57-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-56-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-55-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-54-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-60-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-61-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-62-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-63-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-64-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-66-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-65-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-67-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/184-68-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-70-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-71-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-69-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-73-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-75-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-78-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-77-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-76-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-74-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-72-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-79-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-84-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-83-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-82-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-81-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-80-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-94-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-93-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/184-92-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-100-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-99-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-98-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-97-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-96-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-95-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-91-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-90-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-89-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-88-0x0000000007F60000-0x0000000007F70000-memory.dmp

Filesize
64KB

Download
memory/184-87-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/184-86-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download