39eed41a282105d827a5ed1c6bd0e50e5b69d8535f80c2e67aeb2f0da72e1628

Resubmissions

15/10/2024, 23:54

241015-3x4fvsxemq 8

15/10/2024, 23:51

241015-3v719sxdrl 7

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Mabz.app/back.mp4
Size

1.1MB
MD5

47bf44170a778891f33ba0303eb1f8ca
SHA1

7a9fd4e37fb3ad35dce325a3de1e672e5c0f41ab
SHA256

72eaa3f85cdd325c38987925c84af255ba88fece77c3ea94d0fc679ad71ac9f8
SHA512

dac266eb49bf0ccb59425e798d9d79889fe7e34eb6b0bf4782d7afb57c0fb7926396ea9db51dd527c9b1a2af0b99d5927ff888cd97a4d3017b6e31b279e7b8aa
SSDEEP

24576:LGJgV9LV1Yv1x0xw24+Ub984a2aecGpuTZ:aCLLPQ1IU+698maZ

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{E8432D2D-1986-4E85-9D72-970BBD32B428}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2456	unregmp2.exe
Token: SeCreatePagefilePrivilege	2456	unregmp2.exe
Token: SeShutdownPrivilege	2648	wmplayer.exe
Token: SeCreatePagefilePrivilege	2648	wmplayer.exe
Token: SeShutdownPrivilege	2648	wmplayer.exe
Token: SeCreatePagefilePrivilege	2648	wmplayer.exe
Token: SeShutdownPrivilege	2648	wmplayer.exe
Token: SeCreatePagefilePrivilege	2648	wmplayer.exe
Token: SeShutdownPrivilege	2648	wmplayer.exe
Token: SeCreatePagefilePrivilege	2648	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2712	2648	wmplayer.exe	87
PID 2648 wrote to memory of 2712	2648	wmplayer.exe	87
PID 2648 wrote to memory of 2712	2648	wmplayer.exe	87
PID 2712 wrote to memory of 2456	2712	unregmp2.exe	88
PID 2712 wrote to memory of 2456	2712	unregmp2.exe	88

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Payload\Mabz.app\back.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
063793e4ba784832026ec8bc3528f7f1

SHA1
687d03823d7ab8954826f753a645426cff3c5db4

SHA256
cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

SHA512
225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
a20cff78834270d136546be3bfbf9cb9

SHA1
2919699d24fe5e24e306640b8c8875cfa7d29c51

SHA256
9ee2fe5259b73000f7b3850588f3657b9e52a866b6ad11713d3eceb75dc7eaf5

SHA512
79f293f5675e0308544c0782388d33e0271fbc9f9601bcffbb631cf3b2dee5aecc0fe0d26b55d7c43ed4d5603bf39d7e563eb981bb4578eff7396b5222e6f088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
f7b2af59baf739b86eb5b26303aa51bc

SHA1
5498968d79ca86a12b2dc5824430ac871ea5cd44

SHA256
a982c18bd81634a89b01b14d1f297a3ed350b74294480e9d81d05617acef9005

SHA512
a683b0b444b9ff0fe10d990dd4b79c56a977ccee772d2b3abbb0f9e5dd3c6d81f3a5f43f1d86e2cf90df38a836c0b352e3c85164d3d45e4cd3b4792ed59cc8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
ca30a1a3c6a8c89b13be22eba77c6cf9

SHA1
65f7c3f3ce4da1c21844126a11ed99ba632089a2

SHA256
7d112a3fbe9fb6a6c971b035488a89b9803fa35f2099dd6b457b9fd0014f7847

SHA512
f1a6df8357bc30205e766312fb0d0d3e7e1c6cfb48b69719077b81808e329260687893ee1b221bb9247daf0c9c31926ff7a22316ae5337ada56d2aaf56624da3

Download Submit
memory/2648-31-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/2648-30-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/2648-34-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2648-35-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2648-37-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/2648-38-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2648-36-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/2648-29-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/2648-28-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download