dc11a1bee716f415d0633eba8b3ff76f3505890e86765e9482cfda93d7fc8214

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main/Sounds/Intro.wav
Size

238KB
MD5

ad3b4fae17bcabc254df49f5e76b87a6
SHA1

1683ff029eebaffdc7a4827827da7bb361c8747e
SHA256

e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA512

3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
SSDEEP

3072:FU3hYG9X9JzhaLL5+QYKHZDa6D+4LT92KEpcP+b8FGUt0Ybs5e9jXjubLtNmBNs9:GjVsLL5lva6D+4P9llWvaGe9CHeBNm

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{DAC49DFE-535E-4471-A587-6A9F9829C26A}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	848	unregmp2.exe
Token: SeCreatePagefilePrivilege	848	unregmp2.exe
Token: SeShutdownPrivilege	2620	wmplayer.exe
Token: SeCreatePagefilePrivilege	2620	wmplayer.exe
Token: 33	2944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2944	AUDIODG.EXE
Token: SeShutdownPrivilege	2620	wmplayer.exe
Token: SeCreatePagefilePrivilege	2620	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2620	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 244	2620	wmplayer.exe	88
PID 2620 wrote to memory of 244	2620	wmplayer.exe	88
PID 2620 wrote to memory of 244	2620	wmplayer.exe	88
PID 244 wrote to memory of 848	244	unregmp2.exe	89
PID 244 wrote to memory of 848	244	unregmp2.exe	89

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Sounds\Intro.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
b7af82afc11f5cc1ed329429eaa7faab

SHA1
961b8df688d227c4fd2792e44b43fc0421ee2a52

SHA256
b3521ecaddc76ac4cd8ba70b7dacaecb51925d78229f272db646683fac1284e5

SHA512
7d780f8c7c58a565875ba07d08076f6458e989b05f2731a066f99e6732eec682a94dd564a57c0485e28c0e19f934419b69af263d4dda1341b56890ca154c71c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
406199345f7be36d5e9293ea593d8f58

SHA1
d0546e19b3a0c9f950fa13a64b5023a62be88662

SHA256
8fe0ea0b45bf0ef31a1a13ed5599c844051f96939e158b058bbe0a800a0f21bf

SHA512
5f276fd3562e6e51bbc5d1b37cea4d6aa16d89f51078a67baf99e81ef00d277f4f7a118bef9bf2b31d5759ee9e0cbc9101c421230744eb3954c83a7541860891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
5240cbb68897346258fbe6ee96a531c4

SHA1
168329059fa4d644e7437c1c70c6820d6e8915f2

SHA256
58b94c1d4e303528bb6e6b429123645bea691686ffed33a9a4fe1c61ecd3d9f1

SHA512
14bd5da47b1ecd92ab95cad0c9d73a74ee16b28da9582a09f354d32ec135765fd56fa0e326f05cb06988c671e72598904fc6d4084772ede0c4839fce25bcb6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
82e0d44ae386f45293516ccaae5090ce

SHA1
a12acc9af4d6ee160a1977b48196832c4198a66b

SHA256
4833e8f94cbcedc2eb67a0640e63018e70146dc976be4fbf4995425090c8b26d

SHA512
28f40ac695b8bf729f013528d4d8383ce5c44a672268375b029abe934997b94906b1ed2b55cb39e6ce5b364b134431955daeaa8ed68cd46997c4628288a51a91

Download Submit
memory/2620-28-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-31-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-30-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-29-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-32-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-33-0x0000000004490000-0x00000000044A0000-memory.dmp

Filesize
64KB

Download
memory/2620-35-0x0000000004540000-0x0000000004550000-memory.dmp

Filesize
64KB

Download
memory/2620-38-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-39-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-40-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-41-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-43-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-44-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-46-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-45-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-49-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-48-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-47-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-50-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-52-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-54-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-53-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-55-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-56-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-57-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-58-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-60-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-59-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-64-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-62-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-65-0x0000000004540000-0x0000000004550000-memory.dmp

Filesize
64KB

Download
memory/2620-63-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-66-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-68-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-67-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-69-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-71-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-73-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-72-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-76-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-75-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-74-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-70-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-77-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-78-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-79-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-80-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-82-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-81-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-83-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-84-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-85-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-86-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-89-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-88-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-90-0x0000000004540000-0x0000000004550000-memory.dmp

Filesize
64KB

Download
memory/2620-87-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-91-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-93-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-92-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download
memory/2620-94-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-96-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-95-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/2620-97-0x0000000006EE0000-0x0000000006EF0000-memory.dmp

Filesize
64KB

Download