Analysis Overview
SHA256
09cc0f5dcac52cc34802f576363cdb915b939b3c39d47db1576d785425d4f2eb
Threat Level: Shows suspicious behavior
The file Untitled song.mp3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Windows directory
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 10:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 10:22
Reported
2024-11-09 10:24
Platform
win11-20241007-en
Max time kernel
127s
Max time network
130s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{50D74712-4E5A-41C9-AA41-0D7CFF0D1F97} | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4920 wrote to memory of 5028 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 4920 wrote to memory of 5028 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 4920 wrote to memory of 5028 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 5028 wrote to memory of 4776 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
| PID 5028 wrote to memory of 4776 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Untitled song.mp3"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 2.21.100.8:443 | musicmatch-ssl.xboxlive.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 1a0295014678e91e7fea0a79074d6ffc |
| SHA1 | f93a33dfd19a09d92174a17f0912440ddb1479a0 |
| SHA256 | fba2e401545352472136e5c71b0596b9125ddcfe2b87c439d8567cb2dad16745 |
| SHA512 | d7aec99cf127bf009bad534f293b65ce93ed08c650312a32ea670b0cf09dcaa0906962d9b29ce6c078396885e8ce55bf5ae5598c2480fd508ebddd111bd6c882 |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | f388dd54cd6d96d6303ba1a48bbdad93 |
| SHA1 | 687b39a9b74fdab5f5574ccb1b32a1a1a2f66e68 |
| SHA256 | 116d2fd1b8b3b117c736ea25f2c297ab299f66e5a697317391abc0b086fc98a3 |
| SHA512 | c8239984e0fca5049ef847558926faefd88dc0d294047a48f071afd4dd5f14af4a8e5cd2629fada38f65ddef2314949da5fef618ce6c45bd6956e68e0cd037ec |
memory/4920-31-0x0000000004460000-0x0000000004470000-memory.dmp
memory/4920-32-0x0000000004460000-0x0000000004470000-memory.dmp
memory/4920-30-0x0000000004460000-0x0000000004470000-memory.dmp
memory/4920-29-0x0000000004460000-0x0000000004470000-memory.dmp
memory/4920-34-0x0000000004460000-0x0000000004470000-memory.dmp
memory/4920-33-0x0000000004460000-0x0000000004470000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 33d8bdb6ed8b0aeb852a4c0b019555b2 |
| SHA1 | c2e08fbbbb63422faf76ba995022515836c469f4 |
| SHA256 | 8208ca87ab830a8085b8f03e4a389633f721fabf0cdb669f47f34910199ac9f6 |
| SHA512 | f6b009e9653e9dcdfc18d398f6e1979061fe37a69e74aba8810916f8cb5577e74666db1634a62339b105f486eea62daed6ea6e1a0380d865175cf25bcf545d8e |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 2f30c9be4e7bbc7251e3b60cc7888b57 |
| SHA1 | d761cea74d57caccd159c20cca1c28c4a48f7c88 |
| SHA256 | 31318405613b3a5e62aad31956448a14b501317bb2624474fe74d192acfa2d51 |
| SHA512 | f7bd32f6fb211c23fc394cf2247187f87aa916fb8fbac54115bbf05b2a061f5a605a1c588503261559597bde33ef157764e88d2bd0dd9dbff91543eb251c61e1 |
memory/4920-49-0x0000000004410000-0x0000000004420000-memory.dmp
memory/4920-50-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-51-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-52-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-53-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-54-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-55-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-57-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-56-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-60-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-59-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-58-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-61-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-62-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-63-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-64-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-66-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-65-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-70-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-69-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-68-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-74-0x0000000004410000-0x0000000004420000-memory.dmp
memory/4920-75-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-73-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-72-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-71-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-67-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-76-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-78-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-77-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-80-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-81-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-82-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-85-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-84-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-83-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-79-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-86-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-87-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-89-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-90-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-91-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-88-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-92-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-93-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-94-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-95-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-96-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-99-0x0000000004410000-0x0000000004420000-memory.dmp
memory/4920-98-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-100-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-97-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-101-0x0000000008C00000-0x0000000008C10000-memory.dmp
memory/4920-102-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-103-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-105-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-104-0x00000000097A0000-0x00000000097B0000-memory.dmp
memory/4920-106-0x0000000008C00000-0x0000000008C10000-memory.dmp