Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
Untitled song.mp3
Resource
win11-20241007-en
General
-
Target
Untitled song.mp3
-
Size
1.5MB
-
MD5
0a4db217c83b2473f2c5d40dd0e4ee11
-
SHA1
bf0f75ce1429eb13a58c49eb4c200a69f541d942
-
SHA256
09cc0f5dcac52cc34802f576363cdb915b939b3c39d47db1576d785425d4f2eb
-
SHA512
b4dff3f683f18bc4f5a38079ba9d2ae446308d5d70c67c88eea4fcf67a60eb8546dd8346f4b305fe84c141e2ae045b42eb3cac2fb25781bcc7fb6a857e6942f7
-
SSDEEP
24576:CnBDL07Wwt7hFXnwDnN98nPsN7qwR2HZsMEiff7TaaEwLqU52H51d5ECKDGq:CBDLjwfWesaH80TLEwLqU65H5ECkGq
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{50D74712-4E5A-41C9-AA41-0D7CFF0D1F97} wmplayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 4920 wmplayer.exe Token: SeCreatePagefilePrivilege 4920 wmplayer.exe Token: SeShutdownPrivilege 4776 unregmp2.exe Token: SeCreatePagefilePrivilege 4776 unregmp2.exe Token: 33 1772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1772 AUDIODG.EXE Token: SeShutdownPrivilege 4920 wmplayer.exe Token: SeCreatePagefilePrivilege 4920 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4920 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4920 wrote to memory of 5028 4920 wmplayer.exe 80 PID 4920 wrote to memory of 5028 4920 wmplayer.exe 80 PID 4920 wrote to memory of 5028 4920 wmplayer.exe 80 PID 5028 wrote to memory of 4776 5028 unregmp2.exe 81 PID 5028 wrote to memory of 4776 5028 unregmp2.exe 81
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Untitled song.mp3"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:2400
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD51a0295014678e91e7fea0a79074d6ffc
SHA1f93a33dfd19a09d92174a17f0912440ddb1479a0
SHA256fba2e401545352472136e5c71b0596b9125ddcfe2b87c439d8567cb2dad16745
SHA512d7aec99cf127bf009bad534f293b65ce93ed08c650312a32ea670b0cf09dcaa0906962d9b29ce6c078396885e8ce55bf5ae5598c2480fd508ebddd111bd6c882
-
Filesize
1024KB
MD533d8bdb6ed8b0aeb852a4c0b019555b2
SHA1c2e08fbbbb63422faf76ba995022515836c469f4
SHA2568208ca87ab830a8085b8f03e4a389633f721fabf0cdb669f47f34910199ac9f6
SHA512f6b009e9653e9dcdfc18d398f6e1979061fe37a69e74aba8810916f8cb5577e74666db1634a62339b105f486eea62daed6ea6e1a0380d865175cf25bcf545d8e
-
Filesize
68KB
MD52f30c9be4e7bbc7251e3b60cc7888b57
SHA1d761cea74d57caccd159c20cca1c28c4a48f7c88
SHA25631318405613b3a5e62aad31956448a14b501317bb2624474fe74d192acfa2d51
SHA512f7bd32f6fb211c23fc394cf2247187f87aa916fb8fbac54115bbf05b2a061f5a605a1c588503261559597bde33ef157764e88d2bd0dd9dbff91543eb251c61e1
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5f388dd54cd6d96d6303ba1a48bbdad93
SHA1687b39a9b74fdab5f5574ccb1b32a1a1a2f66e68
SHA256116d2fd1b8b3b117c736ea25f2c297ab299f66e5a697317391abc0b086fc98a3
SHA512c8239984e0fca5049ef847558926faefd88dc0d294047a48f071afd4dd5f14af4a8e5cd2629fada38f65ddef2314949da5fef618ce6c45bd6956e68e0cd037ec