a6560d7ca0aa6cd9fed35b053740140b7f57c89a63b5f965aa2f2be3beab3501

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nighty-Selfbot-main/sounds/error.mp3
Size

18KB
MD5

1e8f77eeaefcc75a118100ec8bdfb250
SHA1

ca8a7d35f87de220320d0c7d29bd500a42b128f4
SHA256

21efd0cc33d0bd16b9ec60795dd6770a125602b50670b7083a0ccf93cd470201
SHA512

717fedf9f05141cd638b045984b857599772be8fe9ebf1d1239bb25f7891b2239e759dda028cc870bb10d0223f4da35e779e05dde904727c4ec2e5dc18266eb6
SSDEEP

384:actkxr79DnSSD4fbPV+tPmuZGYH7/lpzLEAN+Vk0:arr79DSRPAYuZ3Hd+V/

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{F2FF4578-9538-4C32-98AE-B6FB55156ED8}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	976	wmplayer.exe
Token: SeCreatePagefilePrivilege	976	wmplayer.exe
Token: SeShutdownPrivilege	2640	unregmp2.exe
Token: SeCreatePagefilePrivilege	2640	unregmp2.exe
Token: 33	4036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4036	AUDIODG.EXE
Token: SeShutdownPrivilege	976	wmplayer.exe
Token: SeCreatePagefilePrivilege	976	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
976	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3252	976	wmplayer.exe	87
PID 976 wrote to memory of 3252	976	wmplayer.exe	87
PID 976 wrote to memory of 3252	976	wmplayer.exe	87
PID 3252 wrote to memory of 2640	3252	unregmp2.exe	88
PID 3252 wrote to memory of 2640	3252	unregmp2.exe	88

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Nighty-Selfbot-main\sounds\error.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
12eb87b4dd9bb18dae0d5978f387425e

SHA1
69bf07f8091d93d507599b899ae0064e7f5be475

SHA256
ce729ac3490c973b51f17bdd89b7bc44b9856b94fccccd1a9a3bff8685044fa0

SHA512
e5c9378373f00cbe442a0691a763eb109cb9080409f19746d968e10f1bd9b69a64506d5ad8a33825dee87763c307a72d174e6e34c18c8da5e41a20d163b754ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
1aad3f868170daf88683562166248c3b

SHA1
878c854128dc02c2461cc3d8a9ca3251a3d169d6

SHA256
416bba3981ccfc55732b82eaf6496e89f7f7b2e746a632cd0cf9fae83860e16a

SHA512
a58259d07060d39b1d314537faa3825104e6f246c00be04227bfe5bf38b05a6351914fc176a9656bb1d6776409a08630419adab5662a15c0fe1a2b73dae2bcbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
8912e80432829162a0d19ba6fa601e3c

SHA1
1a045ff94a2153d94dd3d1114130abec2eea7ced

SHA256
089a83e8c88c4e1b4bbcd7cb45999ad6a5357b8a32da605ddfded17070dad4eb

SHA512
9bcd4fc4866ff88fa273fa006ce7b28ce83d6dc08d2137dbe50816ac92b2f62838803bc181acb63de2581ca01c04de19dad779d9797769367e552966d34e4f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
670282534a42a7701dcbec2f9ff5970f

SHA1
f8bd5712d6548ff9c6b3822fdb139355b3e058bf

SHA256
9bceabde0b1898ed11bc7d81434408d2cf41745df7ed51e8d51771f52948a088

SHA512
9a9b257d09c22dc61e202a8a6699bfc49bd8e5d300f27c0ed905a62b826a50765da097ad7a1c0c91d40c0adb835539156f4626af6a9381fd4787b98391a307f5

Download Submit
memory/976-33-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-32-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-34-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-31-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-36-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-35-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/976-51-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/976-52-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-53-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-54-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-55-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-56-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-57-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-58-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-59-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-60-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-62-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-61-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-63-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-68-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-67-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-66-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-65-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-64-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-69-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-70-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-71-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-72-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-73-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-75-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-74-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-76-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/976-77-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-80-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-79-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-78-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-81-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-82-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-84-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-83-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-87-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-88-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-86-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-85-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-93-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-92-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-91-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-90-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-89-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-102-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-101-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/976-108-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-106-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-107-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-105-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-104-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-103-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-100-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-99-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-98-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-97-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-96-0x0000000007CF0000-0x0000000007D00000-memory.dmp

Filesize
64KB

Download
memory/976-95-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/976-94-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download