87e875dbcb220c06eeef00fba2f38304cb3028641df26d1799c6b8534ec1ce1e

Analysis

max time kernel
132s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChessBotX Trial/voiceover/a1.mp3
Size

2KB
MD5

ced1aa96b588829bb1c912b93b09882f
SHA1

1f9b35d87bfe06d0f6c04a9b54dffa4723350e80
SHA256

2a256643b2387848eac75a6af0b5e9f861ee552255525edf1cc0455c6870830d
SHA512

defa510c092c30af42fab5f76dc78d5e76b5ad7a862f7b6348309518c4e81728023f0f9e5273c6b4b6f333f87c7d02dd7a10b4d774d18839362ee75440f1cee6

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{F29D988E-B004-44B5-BE06-6DD33F70B60C}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	wmplayer.exe
Token: SeCreatePagefilePrivilege	3404	wmplayer.exe
Token: SeShutdownPrivilege	4824	unregmp2.exe
Token: SeCreatePagefilePrivilege	4824	unregmp2.exe
Token: 33	4596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4596	AUDIODG.EXE
Token: SeShutdownPrivilege	3404	wmplayer.exe
Token: SeCreatePagefilePrivilege	3404	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3404	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3144	3404	wmplayer.exe	85
PID 3404 wrote to memory of 3144	3404	wmplayer.exe	85
PID 3404 wrote to memory of 3144	3404	wmplayer.exe	85
PID 3144 wrote to memory of 4824	3144	unregmp2.exe	87
PID 3144 wrote to memory of 4824	3144	unregmp2.exe	87

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\ChessBotX Trial\voiceover\a1.mp3"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
c374c25875887db7d072033f817b6ce1

SHA1
3a6d10268f30e42f973dadf044dba7497e05cdaf

SHA256
05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

SHA512
6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
92ac242312ba34c4634db9cffd66f000

SHA1
5e15769844ccc949096c08bb991600f6f9f1b895

SHA256
1b53d7342121a54ddcc18147d3e3004101a24c93537ad46b57a7873905eeb669

SHA512
b8b9e4a3103b975534960b8fbb7536c2eb384ca19d6696ffdd96b896bc413193e72eb30704db83f208868a0d8fc163d1fa92b0f48d08bf1d5e3bc2afa6550048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
3ba52432003650744d585bcb383df0d3

SHA1
7c5ea6b5871d9f2d8d99ada2c46044010b6c815c

SHA256
c012b3b19eabf7de2b96f4df5f47235aa32f8e28db9d6c338f50570196c4ab8f

SHA512
7563480f2ab2170154fd6f102120be7dc348786c44585a99ec62f74e4b6eb1773aaca47103d397550d29abf1b5519356db51911bd7600b258c1caa3edd7b91e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
01ab62591ec3c6a99222a7c714c67483

SHA1
61ecdf98e27eb568e19aac2a417f8ecfec3c4533

SHA256
0e3206c68e5dc63923805d06b707da3c3b1239cfb44a7845661cdb7528a01130

SHA512
4902ac278b9e05bd5fc3d35473dff8700f7b90081412245acf45a34e0da2cc467d769c1d09a65085b5e86b84d94088e67fd3d255383c60b58b3902ca0ae9ea79

Download Submit
memory/3404-31-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-30-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-29-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-28-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-33-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-32-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3404-48-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/3404-49-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-50-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-51-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-52-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-53-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-54-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-55-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-56-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-57-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-58-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-59-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-60-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-61-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-63-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-62-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-65-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-64-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-66-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-68-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-67-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-69-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-70-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-71-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-72-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-73-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/3404-74-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-76-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-75-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-77-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-78-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-79-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-81-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-80-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-82-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-84-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-83-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-85-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-86-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-87-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-89-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-90-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-88-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-91-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-92-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-93-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-94-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-97-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-98-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/3404-96-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-95-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-99-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-101-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-100-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/3404-102-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-104-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-103-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3404-105-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download