a6560d7ca0aa6cd9fed35b053740140b7f57c89a63b5f965aa2f2be3beab3501

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nighty-Selfbot-main/sounds/success.mp3
Size

29KB
MD5

2a8b6d25b3c660314795970170d1a8f4
SHA1

3d2832e1e080bfb9f3eb3877edac503a3e714946
SHA256

0b5ec3c6be956ea6aa64ef3fbdfb0e2d3a6b31c66fb1f8fb86692bd25e5b7358
SHA512

61342ad08fe788a68ba637262158ff4d9c78e4ac402582b17b93ffc17c7aaeb39b8dee91212805ffed6ad59115b615cc1082d1bd1c5c1d617aa39e3dde86055e
SSDEEP

768:LjVCBcCPRWQPOfCF5QSiFPezv2XlAH0NF0BNIBk7:t4RW+OfCF5QSiUzenF0bD7

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{8AAEE4B1-24E6-426B-8C09-E6847A68B479}	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1464	wmplayer.exe
Token: SeCreatePagefilePrivilege	1464	wmplayer.exe
Token: SeShutdownPrivilege	3740	unregmp2.exe
Token: SeCreatePagefilePrivilege	3740	unregmp2.exe
Token: 33	2384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2384	AUDIODG.EXE
Token: SeShutdownPrivilege	1464	wmplayer.exe
Token: SeCreatePagefilePrivilege	1464	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4004	1464	wmplayer.exe	86
PID 1464 wrote to memory of 4004	1464	wmplayer.exe	86
PID 1464 wrote to memory of 4004	1464	wmplayer.exe	86
PID 4004 wrote to memory of 3740	4004	unregmp2.exe	87
PID 4004 wrote to memory of 3740	4004	unregmp2.exe	87

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Nighty-Selfbot-main\sounds\success.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:5044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
f1041515a74f5aa8a2a897a42dbad2d9

SHA1
c3c2204c64dc5cdd39e6782c6f979af704c3b699

SHA256
cd2d6fb40b9033801167e516b94dcff1dc385fe74c38faf238ada53a09433a92

SHA512
9e749389398eb6ff3faa4269d109107962cb7e711977ba8aca99a74e7b5e6aab2b7100f09668374a1e94350eafc8b53084edfce52ec08b88bb27f83325155639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e86874b074c0b15b2363c9d0e0f16c3d

SHA1
34d582a8e00afd37d1cb672f242f0619712ef562

SHA256
f45e5677ad179487fdc156bbb82fb86b6ca592189b33ec8642e9d7cc6dac7d1d

SHA512
e11e8a8fdceda842956e067130e428b429018400b79ba0c13a5f64fe51786a849a582ecebe14c834a3df54a9e4023278c9940ed6f58883de377d214daa3da70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
7dc41a9fdaf704fcf8ef3cd567f53816

SHA1
024546196a083de6be6ecae7546fe3b6aca6b33f

SHA256
1ae3ee34d922b5800ce5a19c924026abb00f37d4ded8d533d80c1bed1908599b

SHA512
bdef32abc7a65789cd3d1004ee31ee44442b3f7ed37ecfc021cc6ae4ac198089c467acfae30110f9f8dbac38ed088ea2964924f3c7131516b45671d134791115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d03d8ecbeba560589b423df676d33c1b

SHA1
201552978609f2fd35709b1f39ebe3e419769061

SHA256
e4bfdc22919af0caf44e7d5e7ccaef29c9922e446e205f1ce28811dda5743e45

SHA512
0392b82ab72fcd001411d08439a3ab74219d77ac302511aaf7eddb9bc3e46047df9208812c72a00055c6128280e0f1c33f5b5effce8b96265a2f124124eb7f1b

Download Submit
memory/1464-28-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-31-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-29-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-30-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-33-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-32-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/1464-44-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/1464-47-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-50-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-51-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-52-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-53-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-54-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-55-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-56-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-59-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-58-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-57-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-60-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-61-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-65-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-64-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-63-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-62-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-73-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/1464-74-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-72-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-71-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-70-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-69-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-68-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-84-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-85-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-83-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-90-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-89-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-99-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-98-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download
memory/1464-105-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-104-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-103-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-102-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-101-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-100-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-97-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-96-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-95-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-94-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-93-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-92-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-91-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-88-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-87-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-86-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-82-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-81-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-80-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-79-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-78-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-77-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-76-0x0000000008770000-0x0000000008780000-memory.dmp

Filesize
64KB

Download
memory/1464-75-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-67-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download
memory/1464-66-0x00000000086E0000-0x00000000086F0000-memory.dmp

Filesize
64KB

Download