881bf1bf5880f7ff149fba3edf48efbd35935ad977b86a2a40974765903ab272

Analysis

max time kernel
123s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Σπουδάζω Εργοθεραπεία!.mp4
Size

5.1MB
MD5

1f1f45d56195e14382ed52303e96b16f
SHA1

bedeea8cd5948702e23da520a1dad4de618759ae
SHA256

881bf1bf5880f7ff149fba3edf48efbd35935ad977b86a2a40974765903ab272
SHA512

e4429bca6a47a1d44797dd20103de1bcb27018064704232c5f4738c957c9475dfc570d0859738aa7a1c10f061c4c99add050d58048fe2fc806f83d7de3613a1d
SSDEEP

98304:WoHjWilp00rfyxZVwbcs+d0NSlGjt7UGepGa:WoDWs08f6Zu7+d4RhUGepGa

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

Processes:

wmplayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{7867CE79-27EE-4E4C-AE0A-F0103212E783}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

unregmp2.exewmplayer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	4160	unregmp2.exe
Token: SeCreatePagefilePrivilege	4160	unregmp2.exe
Token: SeShutdownPrivilege	3124	wmplayer.exe
Token: SeCreatePagefilePrivilege	3124	wmplayer.exe
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE
Token: SeShutdownPrivilege	3124	wmplayer.exe
Token: SeCreatePagefilePrivilege	3124	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmplayer.exe

pid process

3124 wmplayer.exe

pid	process
3124	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 3124 wrote to memory of 4504	3124	wmplayer.exe	unregmp2.exe
PID 3124 wrote to memory of 4504	3124	wmplayer.exe	unregmp2.exe
PID 3124 wrote to memory of 4504	3124	wmplayer.exe	unregmp2.exe
PID 4504 wrote to memory of 4160	4504	unregmp2.exe	unregmp2.exe
PID 4504 wrote to memory of 4160	4504	unregmp2.exe	unregmp2.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Σπουδάζω Εργοθεραπεία!.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
ed6403a9e04010f1dec738de07aa712e

SHA1
1c106b90e799899f7b7d87430272720f05a47b2f

SHA256
65ac91d9fa770fe2025fa0866dcdbad3a33087f3aa7974150ad0d6d0c2b87432

SHA512
1ac9e6c73f062b10b5af5abf4131827ef347ecaf2295168d2f0ff92a03513a97634a2dcc0dbad40cd4427446fc76673749bbea4988eade919608d174117654b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e115fed2024dfb1334d5f6132cce3bb0

SHA1
52c1e40e24764a2070cde2087e2c350df86018bb

SHA256
39437acb4aa5a872a492f0c23822d868cba1a6a05681bcd70ecaee66438f036e

SHA512
5837e8f9167c1cf9012faaeb770ef812a7c3329c42c309c9f608979ef71fcb23795165f43ceac2f9ea589c404034e146cefc5f810973fc346316de5b220b2f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
6aaa9c2cd5dcc649debe2279a7f56e6e

SHA1
8db9ee2a210828b5fbc4c2e5bf6e9312b3df2676

SHA256
ce7fb1b372642cafcc1ad716210f82635db7c0d0454935f99e4cae7a2e7958d8

SHA512
3d36f78c6415526affbcc3f96b21e9efb181e6217d558db730c447386adfe593d3ebc933b41ce19670fdeeb1d62d936b8bf2d7843a38db4d7b336261bb5cc3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
73102c34ef1098572ec14e6415eb94eb

SHA1
38dbe598987b457bd26e8e4c4eefb70db51adf1b

SHA256
c5f9e95e24cd003094680de0a293f4237e3e7d195ec053b6cc97e56578e8ff2a

SHA512
963596afd9d3844fc83f3e93f406e21c2562012e14b75c2a8d332e5e79aff98782d179f568bb15c568fa72888d1d81ef371ef83b348848c04a904ddb80896a97

Download Submit
memory/3124-31-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-30-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-29-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-32-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-33-0x00000000079C0000-0x00000000079D0000-memory.dmp

Filesize
64KB

Download
memory/3124-34-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-37-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-36-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3124-35-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-38-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-53-0x0000000009E50000-0x0000000009E60000-memory.dmp

Filesize
64KB

Download
memory/3124-54-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-55-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-56-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-57-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-58-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-59-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-61-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-60-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-64-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-63-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-62-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-65-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-66-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-70-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-69-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-68-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-67-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-71-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-73-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-72-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-74-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-78-0x0000000009E50000-0x0000000009E60000-memory.dmp

Filesize
64KB

Download
memory/3124-77-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-76-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-75-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-79-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-80-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-81-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-82-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-85-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-86-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-89-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-88-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-87-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-84-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-83-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-90-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-92-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-91-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-95-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-94-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-93-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-96-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-97-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-98-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-99-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-100-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-101-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-102-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download
memory/3124-103-0x0000000009E50000-0x0000000009E60000-memory.dmp

Filesize
64KB

Download
memory/3124-104-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-105-0x0000000009F20000-0x0000000009F30000-memory.dmp

Filesize
64KB

Download
memory/3124-106-0x0000000009B40000-0x0000000009B50000-memory.dmp

Filesize
64KB

Download