Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
bewm.mov
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
bewm.mov
Resource
win10v2004-20241007-en
General
-
Target
bewm.mov
-
Size
766KB
-
MD5
2fe7334666b7da49de744e0f83f6b237
-
SHA1
e0376277c4e788a6e51e20f78e27275a37af2b2b
-
SHA256
b98f6794703b2327b9b72011950d8831b0323fc959c5ee5b8a31b90eea007334
-
SHA512
deb8d4a66a82cf5bf9827ba76911d7cbbc0d5f44905ed137a2b558c30c2279a6a83f50f05b3e4fca957e557a5a02482fb9dd905ec10a06cbcc90af7c831c80e3
-
SSDEEP
12288:HoQyN1mkXViCdZIKB1NSskgKycJse+UYnpcJHUzRc0DVrHL8i0zvtKX79/J8EB:HoQyrmkF7ZloXwcJszUYKUVBrHprkEB
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{770F6583-E6F1-4DBF-B50F-BBD0F72D3E5A} wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 1900 wmplayer.exe Token: SeCreatePagefilePrivilege 1900 wmplayer.exe Token: SeShutdownPrivilege 2176 unregmp2.exe Token: SeCreatePagefilePrivilege 2176 unregmp2.exe Token: 33 3220 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3220 AUDIODG.EXE Token: SeShutdownPrivilege 1900 wmplayer.exe Token: SeCreatePagefilePrivilege 1900 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1900 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1900 wrote to memory of 3952 1900 wmplayer.exe 83 PID 1900 wrote to memory of 3952 1900 wmplayer.exe 83 PID 1900 wrote to memory of 3952 1900 wmplayer.exe 83 PID 3952 wrote to memory of 2176 3952 unregmp2.exe 84 PID 3952 wrote to memory of 2176 3952 unregmp2.exe 84
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\bewm.mov"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:716
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2cc 0x3f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5df0eb6f7353e394a19c523015275ccfb
SHA16f127d3e9c0e4e0fe6ed265945b330ead3f5245e
SHA256d638d3393fa96d814fffcf63be9cb134d18925a9d729aca027ee01d59402c697
SHA5129f074f6234749b7e568fbaa759549ba8a00fd82eb819d0053cd41d058a7e1c0bcb737aa96ecc6a84b93cb0dbc37ff52cf1139d4a0fb02818ec40401d366f600e
-
Filesize
68KB
MD554b2ab84d0378bf806e7126740d1a807
SHA107c5cdb4a70f71a78a7a29692b9942508daae891
SHA256cc3612a36ec7d4868271cc2a24604c42dd26164fbade46084a91018a3da63870
SHA512fdcda1ed83f2d8025c6a0874536d396e9a7b0a403c2bb792bfa9a94c0886e12cc763304322a22f3326b46fbcd19542e10351d37d0d5d09ef79396ffc64e94714
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5ae2c2e85291b8ac4b0e0ab57ce730c57
SHA173ac1295e79cdcec49f08655bd1d8cd853f8fa22
SHA2567b82248eb77fafd140725439cb75ead91e0ff78d32e3af24a2aa687ddc19a01c
SHA5122b3dc3ae608944684120cff26d43279a60677317a651488cce724eda6d7bd7f33d2413d312509755819c738f320e1de2835e732fcb340591ff3fcbdc610fcd04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5a85c9e78c3529b8e85fa386957a12bb2
SHA1525bf911e6c28710852ab1cfba96295a8d9643fd
SHA2568f528e0c2826ea294ed13d3130702b78d3e1c05cc1a607a51140d081f5688498
SHA512439e1969cf91a385ad95da37b6370bd2be5c731461920703872269ca83ff4d2a84b11639a23f06176c9309f4a1c122908ac2b75ff70122cf12e94b4eaf876d23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5afefa9fb5acef459df231e0cdc2e8407
SHA1390a489f2ae9b1785c98812966959a76af17afb3
SHA25679bce0f029f9910b0be62387691287f071569e4f3bff1875788be05f95dcca30
SHA5126927b724d7cfe31c5653db3067b2e1262de881429ff790fd7f84175da3177497c76111dcd19745725876c2dac53b54a040edf26b9b80ecb080241cf51ba3c9d2