Overview

overview

8

Static

static

1

Payload/Ma...32.png

windows7-x64

3

Payload/Ma...32.png

windows10-2004-x64

3

Payload/Ma...38.png

windows7-x64

3

Payload/Ma...38.png

windows10-2004-x64

3

Payload/Ma...48.png

windows7-x64

3

Payload/Ma...48.png

windows10-2004-x64

3

Payload/Ma...72.png

windows7-x64

3

Payload/Ma...72.png

windows10-2004-x64

3

Payload/Ma...t.json

windows7-x64

3

Payload/Ma...t.json

windows10-2004-x64

3

Payload/Ma...up.css

windows7-x64

3

Payload/Ma...up.css

windows10-2004-x64

7

Payload/Ma...es.xml

windows7-x64

3

Payload/Ma...es.xml

windows10-2004-x64

1

Payload/Ma...pi.cer

windows7-x64

8

Payload/Ma...pi.cer

windows10-2004-x64

8

Payload/Ma...ck.mp4

windows7-x64

1

Payload/Ma...ck.mp4

windows10-2004-x64

6

Payload/Ma.../c.wav

windows7-x64

1

Payload/Ma.../c.wav

windows10-2004-x64

6

Payload/Ma...er.cer

windows7-x64

8

Payload/Ma...er.cer

windows10-2004-x64

8

Payload/Ma...vision

windows7-x64

3

Payload/Ma...vision

windows10-2004-x64

3

Payload/Ma...eo.mov

windows7-x64

1

Payload/Ma...eo.mov

windows10-2004-x64

6

Payload/Ma...al.mp4

windows7-x64

1

Payload/Ma...al.mp4

windows10-2004-x64

6

Resubmissions

15/10/2024, 23:54

241015-3x4fvsxemq 8

15/10/2024, 23:51

241015-3v719sxdrl 7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payload/Mabz.app/c.wav

  • Size

    212KB

  • MD5

    b8c0604cd7f46d8f9c8fd1afcd3e7e96

  • SHA1

    abafdb5022578082234542383b8111ab6985b485

  • SHA256

    3b06f7a05a673513e18612a6c39b5c93110459a75b4a4c8d66855224840ec4cd

  • SHA512

    c7b5cf20a7ac2b0510ff2fb6c561c9bf9222b29c44b5534315e2bebe3b806c57f4701834804eeed900c14d3edc6db3dc1e0b1407749121c2154e636fe8090efd

  • SSDEEP

    6144:4FUgpNiyW3QbLHUq2A43b2UFXvoZOyaesYX+:4FUwcy1/HUM45VoZDa/YX+

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\Payload\Mabz.app\c.wav"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1892
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:3152
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x414 0x40c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    256KB

    MD5

    29bd18035ac3468ed8ee41ba90d66f22

    SHA1

    36e76825c5aff3f599ec16a85b14ee487595a69d

    SHA256

    eca587e1d30a5a9c65a7f3d69272ebc2890a0ec954d1ee4ad7d5ac45bd95ddc8

    SHA512

    b1b8a231de045c227d430c9edd5996b882153fd848fc319ba2dfbfc7aa309bce8a3551889f735f6de6d6fdfc09a1ffad4dcb4fd7ff2d4017eeb2c97f7a83f7d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    c8d94b9c2bd0e9cce0e064dd8201cb08

    SHA1

    1227b8149493bd327507ea6d00e666208bd41f28

    SHA256

    7fff027236cc0dc381a50eaad6a184e31467fa1c9768de7ab5383a92440be84a

    SHA512

    3792b07918fc57b1c105497b135994013d861933d42e2d0209da574219794401ee031c891ca2429f26ead29aaeb54d128a411e200217405db5034f4501210814

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    7feb053f759089d6ddb2154782dbb293

    SHA1

    4f642fce829e8a597caad3dc39a6464fae95ae35

    SHA256

    d629f8ae727c9e12608cebadba427cde0b1a5c18c62f9afb7f2d5e38797b6e41

    SHA512

    ef0b58e47a1fcc02253fda75f9a16daa785165d207c48923c30e64418386623db9941cd8ecbbd39ecb18317c4ac521d584165825d7d185bfe3b9996385e0e9ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    d9bac8e8577b7af0fad35e7c3a3a6e7b

    SHA1

    ef2fcba1072d15e5640e256481bcd8c06eaa5d30

    SHA256

    ca7fa9f16c68d19cda9afd578b86d5e2896321bdacd94d6dd49f5096c21905ba

    SHA512

    c2cd461758cf2e47fb927f97e4185eb36dcde454e037b8b2ed37d2089d4621f2de6723b077b7b0f001bfae4eb0db04f21f36fafe113072e231c5f9782e21a1c6

    Download Submit

  • memory/3536-31-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-32-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-36-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-35-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-33-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-34-0x0000000005160000-0x0000000005170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3536-51-0x0000000007A40000-0x0000000007A50000-memory.dmp

    Filesize

    64KB

    Download