Analysis
-
max time kernel
1774s -
max time network
1145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:09
Static task
static1
Behavioral task
behavioral1
Sample
Lil Peep & Lil Tracy - your favorite dress (Official Video).mp4
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Lil Peep & Lil Tracy - your favorite dress (Official Video).mp4
Resource
win10v2004-20241007-en
General
-
Target
Lil Peep & Lil Tracy - your favorite dress (Official Video).mp4
-
Size
62.4MB
-
MD5
73de367d7b754950673072def033109d
-
SHA1
dee3eda5680f716d5e6ba7002256300aa10df977
-
SHA256
b6c406250626cc4a60632395be6a99562eb16c7cd3db5454eff6fd3d23f91417
-
SHA512
3fe066e19489b6f051f6dc182d074b0397badea436ca5eb5fd2ab864f9551042f63cf9622ba58e577d7ada2d80f4dc6fb28f0806acf1936d687a03b0d5f24a74
-
SSDEEP
1572864:J9kTpowqOvOZCiLmoyqjUnppXKyusWN+Kulj:fSpRUQnphKyuspK2j
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{9CCE4BD5-8FA6-4D26-AEEF-8DA579A666F1} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 1076 wmplayer.exe Token: SeCreatePagefilePrivilege 1076 wmplayer.exe Token: SeShutdownPrivilege 1548 unregmp2.exe Token: SeCreatePagefilePrivilege 1548 unregmp2.exe Token: 33 4588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4588 AUDIODG.EXE Token: SeShutdownPrivilege 1076 wmplayer.exe Token: SeCreatePagefilePrivilege 1076 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1076 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1076 wrote to memory of 4472 1076 wmplayer.exe 82 PID 1076 wrote to memory of 4472 1076 wmplayer.exe 82 PID 1076 wrote to memory of 4472 1076 wmplayer.exe 82 PID 4472 wrote to memory of 1548 4472 unregmp2.exe 83 PID 4472 wrote to memory of 1548 4472 unregmp2.exe 83
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Lil Peep & Lil Tracy - your favorite dress (Official Video).mp4"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:1920
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x4cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5563088ad0f20fabf9dd62c6ba8ae1636
SHA1f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA5128229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092
-
Filesize
1024KB
MD51f58ca583f202b73d2ec9497acf5b1f8
SHA12c0e0fecfcb0489fb4f22b21d9b08c6bc8dd7c33
SHA2565145e7f85218067b314e50a18bfea7e1ba8e4b54fec2fbafbbd624b172d39356
SHA512a5c961a1a22eb69afb7e83ed6e050affb0caa15c073eaca55d0539067fe06f85991a098c308daf6262604651a43bf6de44cbffd2cc36190258565d3836191f32
-
Filesize
68KB
MD5c366a1397c431403d12711e5d3525501
SHA1cee3c354a16d910551e8a1ba6c3410cf2a128f19
SHA256409519627f0fca87805781902bba50bdb3b09e91e7f1c1eae9e0ba275cbab1b0
SHA512a4e77bd42553970867c2cd53021155e19cfb6495bfe2acbcf1de841d2e76f47ba8ded766e6a2aca2cfb0dca230fbed326d9c43e76b29e63d32b130a25dff7d89
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5ca2a83bb8e7337588747e561fe5bc43e
SHA1b2456d76adf08d290c1369a80f0650eaf3d4c896
SHA2566160c5bf4b76f82be5d514874212331327aa5ef58f3a3031cedba03b0feab4be
SHA51259db10910dba9ab9db75f397e85baf7964c9f7bdb0a4c6ae96c43a0c75fb99e2d921e5546b7c810c71bf0eb79ea516d123f3a468668b56b1061c9402df9623e4