Analysis
-
max time kernel
1796s -
max time network
1152s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-12-2024 00:21
Static task
static1
Behavioral task
behavioral1
Sample
Family Guy S1xE2 The broccoli must die.mp3
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Family Guy S1xE2 The broccoli must die.mp3
Resource
win11-20241007-en
General
-
Target
Family Guy S1xE2 The broccoli must die.mp3
-
Size
321KB
-
MD5
4b488aefbc3b75599a8875694daf54e9
-
SHA1
e4158542b96e29c07942261ecb8dab38b673f5e5
-
SHA256
68d54867643f1c0c4d77051d87c29d520062d8eb6473e953653d93ddcdd1bd92
-
SHA512
555a0e22593b3bea910d4cc0082889b334435b47bac7bbc5d4df19212ceba3d619ddef026ef8f21462122649e1d85ad3682bf9266f9c629831982ac3bc4d914d
-
SSDEEP
6144:HJD+tGGDQni8qFyFt6UE8LLpgpH00+YMDngNESkK2hlI8QWZ6Y3CFi23XH0PcOqE:1+XMoEgUBPg00+1fK2hKMZ5yFtL/rM1j
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
Processes:
wmplayer.exedescription ioc Process File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exewmplayer.exedescription ioc Process File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wmplayer.exeunregmp2.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 1 IoCs
Processes:
wmplayer.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{B5B990C8-292D-4D3B-9F47-8926E23A3798} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
wmplayer.exeunregmp2.exeAUDIODG.EXEdescription pid Process Token: SeShutdownPrivilege 4480 wmplayer.exe Token: SeCreatePagefilePrivilege 4480 wmplayer.exe Token: SeShutdownPrivilege 2092 unregmp2.exe Token: SeCreatePagefilePrivilege 2092 unregmp2.exe Token: 33 32 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 32 AUDIODG.EXE Token: SeShutdownPrivilege 4480 wmplayer.exe Token: SeCreatePagefilePrivilege 4480 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
wmplayer.exepid Process 4480 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wmplayer.exeunregmp2.exedescription pid Process procid_target PID 4480 wrote to memory of 564 4480 wmplayer.exe 77 PID 4480 wrote to memory of 564 4480 wmplayer.exe 77 PID 4480 wrote to memory of 564 4480 wmplayer.exe 77 PID 564 wrote to memory of 2092 564 unregmp2.exe 78 PID 564 wrote to memory of 2092 564 unregmp2.exe 78
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Family Guy S1xE2 The broccoli must die.mp3"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:3696
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
PID:32
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5066f6e5acfff197d12b550ef7d452d41
SHA1aaa8cfa5a56519594490d069f31a42a15ca515a2
SHA256cac3a8354c7766b4ce0900bf4d8097bf372ec405a6af4bba63a6d92132932a30
SHA51221c3985bdc883b7c0fcdfb660a577eb03870943d9e812a24726158b6c06cc36b00425fdeafddcb099fddd1488173280563f7241c9589e69d04d1eb1b5daa786b
-
Filesize
1024KB
MD5e1352c3f7fdb9af41e0effc67cf10a10
SHA1443c9d3153cc3a481043c6901c1fa292317c944d
SHA25618acd134d59416821a16a7ce4253bb916affdc3b9d79e7aa1d9465d6252066cb
SHA512533680e24c5033ae6167ce49c3d985917e6f6e3a48f86956f3eab05fffd296a2f05eba60a0f8a187b5695ae35b881f9e7781b5ce2565c1ded26cf3e0407aa57b
-
Filesize
68KB
MD56a4035d17b5d4558e083345095dd1df8
SHA17953ee402f850714d1750edb33d3921bbd08842d
SHA25648ecf354b6f16baa1e1acab9912ee9a8ad6914ab42fe68814d1ceb3f610afb55
SHA5128f278e5af72b6635e25182fca073caf3f0c9e6a986d4776d35f5b119e9175adf7ce2b26990e4b13923ec5fc38403acb31b1aa17ccd90d60b21f9ca58e9795b2b
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5e42beb461980d1a250c33c9965cbb59d
SHA1a8f5989a6e09a39a44e4f47487db5b8256e82af4
SHA256c3f7524862839b8432c8815138d4489779b25716b7f304f9f702f0635a980138
SHA5121ea53f942b1cd7e0731902f529e550f9adc48e14ea55f364b6f46311c77ecf52205ebcefa8f3d6128ac649c62360805e3d29c3e8d99de222b36379a3943233e3