Malware Analysis Report

2025-08-11 06:34

Sample ID 241109-md9wjasfml
Target Untitled song.mp3
SHA256 09cc0f5dcac52cc34802f576363cdb915b939b3c39d47db1576d785425d4f2eb
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

09cc0f5dcac52cc34802f576363cdb915b939b3c39d47db1576d785425d4f2eb

Threat Level: Shows suspicious behavior

The file Untitled song.mp3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Windows directory

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 10:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 10:22

Reported

2024-11-09 10:24

Platform

win11-20241007-en

Max time kernel

127s

Max time network

130s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Untitled song.mp3"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{50D74712-4E5A-41C9-AA41-0D7CFF0D1F97} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Untitled song.mp3"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D0

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 2.21.100.8:443 musicmatch-ssl.xboxlive.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 1a0295014678e91e7fea0a79074d6ffc
SHA1 f93a33dfd19a09d92174a17f0912440ddb1479a0
SHA256 fba2e401545352472136e5c71b0596b9125ddcfe2b87c439d8567cb2dad16745
SHA512 d7aec99cf127bf009bad534f293b65ce93ed08c650312a32ea670b0cf09dcaa0906962d9b29ce6c078396885e8ce55bf5ae5598c2480fd508ebddd111bd6c882

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 f388dd54cd6d96d6303ba1a48bbdad93
SHA1 687b39a9b74fdab5f5574ccb1b32a1a1a2f66e68
SHA256 116d2fd1b8b3b117c736ea25f2c297ab299f66e5a697317391abc0b086fc98a3
SHA512 c8239984e0fca5049ef847558926faefd88dc0d294047a48f071afd4dd5f14af4a8e5cd2629fada38f65ddef2314949da5fef618ce6c45bd6956e68e0cd037ec

memory/4920-31-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4920-32-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4920-30-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4920-29-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4920-34-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4920-33-0x0000000004460000-0x0000000004470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 33d8bdb6ed8b0aeb852a4c0b019555b2
SHA1 c2e08fbbbb63422faf76ba995022515836c469f4
SHA256 8208ca87ab830a8085b8f03e4a389633f721fabf0cdb669f47f34910199ac9f6
SHA512 f6b009e9653e9dcdfc18d398f6e1979061fe37a69e74aba8810916f8cb5577e74666db1634a62339b105f486eea62daed6ea6e1a0380d865175cf25bcf545d8e

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 2f30c9be4e7bbc7251e3b60cc7888b57
SHA1 d761cea74d57caccd159c20cca1c28c4a48f7c88
SHA256 31318405613b3a5e62aad31956448a14b501317bb2624474fe74d192acfa2d51
SHA512 f7bd32f6fb211c23fc394cf2247187f87aa916fb8fbac54115bbf05b2a061f5a605a1c588503261559597bde33ef157764e88d2bd0dd9dbff91543eb251c61e1

memory/4920-49-0x0000000004410000-0x0000000004420000-memory.dmp

memory/4920-50-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-51-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-52-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-53-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-54-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-55-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-57-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-56-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-60-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-59-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-58-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-61-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-62-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-63-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-64-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-66-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-65-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-70-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-69-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-68-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-74-0x0000000004410000-0x0000000004420000-memory.dmp

memory/4920-75-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-73-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-72-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-71-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-67-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-76-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-78-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-77-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-80-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-81-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-82-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-85-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-84-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-83-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-79-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-86-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-87-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-89-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-90-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-91-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-88-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-92-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-93-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-94-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-95-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-96-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-99-0x0000000004410000-0x0000000004420000-memory.dmp

memory/4920-98-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-100-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-97-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-101-0x0000000008C00000-0x0000000008C10000-memory.dmp

memory/4920-102-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-103-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-105-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-104-0x00000000097A0000-0x00000000097B0000-memory.dmp

memory/4920-106-0x0000000008C00000-0x0000000008C10000-memory.dmp