Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 09:59
Static task
static1
Behavioral task
behavioral1
Sample
lighthouse_teslacrypt_ransomware.mp4
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
lighthouse_teslacrypt_ransomware.mp4
Resource
win10v2004-20241007-en
General
-
Target
lighthouse_teslacrypt_ransomware.mp4
-
Size
3.1MB
-
MD5
577c4a77455c945bf638349a16aa9b47
-
SHA1
ff9139369ebf187e64c86348132dfb5f20bd4ac9
-
SHA256
c7503cdbc638d4886e9b06942b9afc345f041663734963b49fb25e1577287c46
-
SHA512
64a5510ca8c19915c9a88a524ca12731d2cb7b672d84f9db58c0aac7e39e1d89cf50981078dbcb905fd75f259124b9aee055e2d6fc95387023345c770313283c
-
SSDEEP
49152:pHZUdEm4AOcOgifdrIstug5mBdNUQIAfe3o7DDeh+HAjADJEsgBUEG5o5OpaRWC3:pHZA74A9UfOCmHIRoDeCJDGVBvG5o5O0
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{B05105B0-FB8B-42B7-B687-2139906E8F35} wmplayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 1968 unregmp2.exe Token: SeCreatePagefilePrivilege 1968 unregmp2.exe Token: SeShutdownPrivilege 2108 wmplayer.exe Token: SeCreatePagefilePrivilege 2108 wmplayer.exe Token: 33 4848 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4848 AUDIODG.EXE Token: SeShutdownPrivilege 2108 wmplayer.exe Token: SeCreatePagefilePrivilege 2108 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2108 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1416 2108 wmplayer.exe 82 PID 2108 wrote to memory of 1416 2108 wmplayer.exe 82 PID 2108 wrote to memory of 1416 2108 wmplayer.exe 82 PID 1416 wrote to memory of 1968 1416 unregmp2.exe 83 PID 1416 wrote to memory of 1968 1416 unregmp2.exe 83
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\lighthouse_teslacrypt_ransomware.mp4"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:220
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ec 0x4bc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5063793e4ba784832026ec8bc3528f7f1
SHA1687d03823d7ab8954826f753a645426cff3c5db4
SHA256cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd
SHA512225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6
-
Filesize
1024KB
MD5c79e414497831cf460ba3340cab583f6
SHA13f0b4ca2fd7ed328ee74450f78e871e7ab3ae6a7
SHA25653f7ae71e9b1daa4b535c18e75825fa6962b5834afafe75d951d7fec53445441
SHA512bd963817cfc99d2b088b59632754a221991e6b3e3654a23fe5a0cd812ced9a2c95eadd57bcb5aafffcbc61707988f53f315c8c467e20c00f12222770fd932d97
-
Filesize
68KB
MD5af0167584fada6e3bba38c8388321f83
SHA13f94245b28df4f1b7c266e92e93c7bb328ef4b7f
SHA2568e36d57abaff625975bb9a60680a78b295bb81b8e2ab971e472caedd020743aa
SHA512039c8cb84b3285f22e588403bade0cec27217b155bcc0622ef2084a5cb6d13a0a1124b5001e2fd84c4606ca810059eba02761969b42e12b61222026696a65b48
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD55433eab10c6b5c6d55b7cbd302426a39
SHA1c5b1604b3350dab290d081eecd5389a895c58de5
SHA25623dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD54c08a3032a24f6227f6d856c03d93533
SHA11c778c0e249348c27711a16939bec4b982d5c4aa
SHA2561f5f0376defbc2a2aa583279eec736d50e9d2598313d3cce349612420e375819
SHA51288bfa6a2cf51568fd48334b34d471ca29e297ad7b655023210419720df58f73b6bd834b00179dc2130ebb8bda0d8eae8967d6b56ac9102c1b8dc6d709a5f0f84