Overview

overview

6

Static

static

1

singl6.mp4

windows10-2004-x64

6

Analysis

  • max time kernel
    203s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-it
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-itlocale:it-itos:windows10-2004-x64systemwindows
  • submitted
    17-12-2024 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    singl6.mp4

  • Size

    318KB

  • MD5

    7449f0b436d00af0480c1b5ae0f02522

  • SHA1

    30b18eb4082b8842fea862c2860255edafc838ab

  • SHA256

    0df59ced4eb33e4729d11d315a0fd1b738710169d91a3ebcf1eab2fd64abd41d

  • SHA512

    4d80d1d8964a719d83faad5f5a27b6af3d1fdb35555aef9c0697cd7301418e038cf8c5ddebd657b5cd4644760c41d3f97e40bf3f4629ff8bbe1105487c0baf67

  • SSDEEP

    3072:3Xp62DPuQbB1xpRVtLClSE3bZtLwxZgqVVey:3XbWQbtpE0YoL

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\singl6.mp4"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 2332
      2⤵
      • Program crash
      PID:1540
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:1892
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2876 -ip 2876
      1⤵
        PID:5008
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\singl6.mp4"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4320
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\singl6.mp4
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:5044
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3308

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        384KB

        MD5

        10251ab586bff990cfc951d502199a74

        SHA1

        3c0055fed58f05c4c2bd42abc33946b816a58b31

        SHA256

        6f9718b17cb4f7f00e482a87c9f45d1e4f55d587f7179e16dd426c233c9048a5

        SHA512

        5222847d800ea93629d18b9050a97529556c1849bf8bb2be55481e0547fa42d113d0afef49aeb154b458ed883bfd6502566b1abb69193806737ff3ad2728614f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        1024KB

        MD5

        a4170d0c025f3822f1a35aa19c64c030

        SHA1

        97d846ea1137ce9fe20aca61d93a1fb89cefa4f1

        SHA256

        ed7382fc2c72a30615feca207925b932cdb035acb73501e374a8c59e6523c2ce

        SHA512

        ee0080097a4bdedfccc4c005125dbb2b2267e56d89f9da5d7487edb3545e83f2410e3d8152ecbe3492faf465229af28d0ecccd6664556cc262f5f2e79b16e742

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
        Filesize

        68KB

        MD5

        4d4efe10d417e2ef19054c530abec90b

        SHA1

        f5f5495ca16e386e01f6c6076fbdcbeb282ee090

        SHA256

        245fbd23c2bfdd5037d9988d9d7a8adc4e85e136282ca4787dcf386c4cd17138

        SHA512

        cccba66a13a320b3d9bc5a379e712fae77a0a7f766570624e93d3d72c4449f9329a51667b638657540962a7b2c57243b65b25dcf81621e91efe9c070d1014bfb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
        Filesize

        498B

        MD5

        90be2701c8112bebc6bd58a7de19846e

        SHA1

        a95be407036982392e2e684fb9ff6602ecad6f1e

        SHA256

        644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

        SHA512

        d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
        Filesize

        9KB

        MD5

        5433eab10c6b5c6d55b7cbd302426a39

        SHA1

        c5b1604b3350dab290d081eecd5389a895c58de5

        SHA256

        23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

        SHA512

        207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
        Filesize

        9KB

        MD5

        7050d5ae8acfbe560fa11073fef8185d

        SHA1

        5bc38e77ff06785fe0aec5a345c4ccd15752560e

        SHA256

        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

        SHA512

        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
        Filesize

        1KB

        MD5

        ae5fc4f2913d6229021633df76dfd505

        SHA1

        4c53172d39f78a6cf2a375b3dd24202e6b6957ab

        SHA256

        f99e78e567896148d99b63fe41a859de9564b2d30a53493a6ec9f133172f05e9

        SHA512

        e7cbfa5b3857de83117072127cfc7db0449a5f2ec0afb447b99c1c63f6632b0fe851a1b1a045bcd6f4e2ed7c018457445bc2ba66d15ad7296d22c317e0d73bd9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
        Filesize

        1KB

        MD5

        a5fcb3c595ba82a3b0aba68e920f7ac0

        SHA1

        78fdc875ec78fed2a03a4ff9aadee3e8d565ff26

        SHA256

        e6e7485a0c0ba0244492f76590bfb6bd031b2d73cb442f50ffeace63536276a0

        SHA512

        d25dbc361d40dc017204d754eb8a1e2474a496d824ab42df94ec4e01e96dabecdb70eaaf4a922698a1e3b977a47fed5983c0fe504b75b558106a7a55f7491d28

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
        Filesize

        3KB

        MD5

        3394a12f4a786a8c95eff8c633b61007

        SHA1

        edc43d17e9f45dcc54b6fead42c0a49526cefd84

        SHA256

        84700a1beb8adbef99634cf0961b88b97d78b31750dc809d8666cf42973f0f05

        SHA512

        9b2f20057e221b2b1267382a68f7a8022ef81d34e21cf43cee8a888ce1e199afa10369c7c91b8e85d38be3c7e61a36c3612658234701b1356c829f103e0342cc

        Download Submit

      • memory/2876-40-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-41-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-39-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-43-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-44-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-42-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-38-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-37-0x0000000009D50000-0x0000000009D60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2876-36-0x00000000052F0000-0x0000000005300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4320-81-0x00007FF958000000-0x00007FF958017000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4320-95-0x00007FF93E770000-0x00007FF93E87E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4320-78-0x00007FF957BD0000-0x00007FF957C04000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4320-86-0x00007FF9521A0000-0x00007FF9521B1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-85-0x00007FF9521C0000-0x00007FF9521DD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4320-84-0x00007FF9521E0000-0x00007FF9521F1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-83-0x00007FF952DE0000-0x00007FF952DF7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/4320-82-0x00007FF957C90000-0x00007FF957CA1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-79-0x00007FF9420A0000-0x00007FF942356000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4320-80-0x00007FF958430000-0x00007FF958448000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4320-87-0x00007FF941E90000-0x00007FF94209B000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4320-92-0x00007FF952000000-0x00007FF952011000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-94-0x00007FF951B20000-0x00007FF951B31000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-77-0x00007FF7F41C0000-0x00007FF7F42B8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/4320-93-0x00007FF951B40000-0x00007FF951B51000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4320-91-0x00007FF952130000-0x00007FF952148000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4320-90-0x00007FF9520D0000-0x00007FF9520F1000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4320-89-0x00007FF952150000-0x00007FF952191000-memory.dmp

        Filesize

        260KB

        Download

      • memory/4320-88-0x00007FF93EF20000-0x00007FF93FFD0000-memory.dmp

        Filesize

        16.7MB

        Download

      • memory/4320-96-0x000001BC50320000-0x000001BC51B8F000-memory.dmp

        Filesize

        24.4MB

        Download

      • memory/4320-107-0x00007FF7F41C0000-0x00007FF7F42B8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/4320-109-0x00007FF9420A0000-0x00007FF942356000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4320-111-0x00007FF93E770000-0x00007FF93E87E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4320-108-0x00007FF957BD0000-0x00007FF957C04000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4320-110-0x00007FF93EF20000-0x00007FF93FFD0000-memory.dmp

        Filesize

        16.7MB

        Download