b52bc0e94ae7c823753777aab3223ec9eda314584744c7bd7a2c624e68ad5028

Analysis

max time kernel
896s
max time network
443s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-12-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.1-5.2/XWorm/XWorm V5.1/Sounds/Chat.wav
Size

45KB
MD5

832a3652fd780edcdb2439ec33532c0d
SHA1

f0754ee6519d77700f5ee5b744b8c99386d7b577
SHA256

45f4136e58a5f749d125d2ab54308f81954d2c5b364b66013660a6c358845d1e
SHA512

3b3b55afcdfa00d9b7085b20ed52a7b4d8b7d403f5d0d1c539781db1a20257efd8c856e19b8f32ea33766a580690b498ff063849519691a9a4cbbcd3e9447cd4
SSDEEP

768:QVPqefmaP5C3KduJn13jSHYHzIcr6DPW75Pvi3Fy5NQbIbhuJLA+LhDclY3Rp6:yP1mU5GlJnBS4TIQ6o163ofQ8b4Pfm

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{0F016825-DEAE-4468-9BED-9B71F772D6A7}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3700	wmplayer.exe
Token: SeCreatePagefilePrivilege	3700	wmplayer.exe
Token: SeShutdownPrivilege	4244	unregmp2.exe
Token: SeCreatePagefilePrivilege	4244	unregmp2.exe
Token: 33	240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	240	AUDIODG.EXE
Token: SeShutdownPrivilege	3700	wmplayer.exe
Token: SeCreatePagefilePrivilege	3700	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3700	wmplayer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 4848	3700	wmplayer.exe	77
PID 3700 wrote to memory of 4848	3700	wmplayer.exe	77
PID 3700 wrote to memory of 4848	3700	wmplayer.exe	77
PID 4848 wrote to memory of 4244	4848	unregmp2.exe	78
PID 4848 wrote to memory of 4244	4848	unregmp2.exe	78

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.1\Sounds\Chat.wav"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
19d78b1eae63fd95e33c36ae0cad7aa8

SHA1
52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

SHA256
50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

SHA512
34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
fd776a0db9e538556fdc4b068c7310eb

SHA1
ce5c2f0649a81c09086addd33e55a9e28bc6cd28

SHA256
8ea158eb103218f384702ce9aed522ce740329670534572a92fd8c8719cafe01

SHA512
56e37a94a303f12b8358344f7e109311d14bc5261518dcab730425a37b57a0dd591b3b0630f8bd61b1e14c308c72121658212cdedd10ebed8ca2cc489345f767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
025951f5d0c20bb7d4febfc94e5a3c48

SHA1
7eea7c40a3c0cf03cef544c6884136f34ead9f59

SHA256
85bb99c3233d85b4edc394b295ab06de1dda9439b5a0c853ed46ac3ec8d5c146

SHA512
4b9bcf78d4101529308c5ec14804b0b27650767d2a505ce547ff6ff37b70ed492f74fbd3dc4598a55f0d1a7f94daeee5b7a317e62e8d4b74fe437a05ee5008d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
fb8e5fe52ae4d42c82e0430731ac2cd3

SHA1
e1fbaea93e7ef0714844c47df135e7393524fc8a

SHA256
eec6c4b1ff11c1552a76989f5df0118070d86fbcde4336830f8c51c3a298b349

SHA512
fd296aaf1e5191ae174afed1bdc46c64f4dda8c9921d48d9aa75b5b9b8da27ec0e474f8a312987e8dd6a6bfca38a12a43ccd58e6c071bc2d0cddfd8d60bc7a6d

Download Submit
memory/3700-28-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-29-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-30-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-31-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-33-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-32-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3700-39-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3700-41-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-42-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-43-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-44-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-45-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-46-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-48-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-47-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-50-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-51-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-49-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-52-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-57-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-56-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-55-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-54-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-53-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-59-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-60-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-61-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-62-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-66-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3700-65-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-64-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-68-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-63-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-70-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-71-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-72-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-74-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-73-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-78-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-79-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-77-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-76-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-75-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-80-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-83-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-84-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-86-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-85-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-82-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-87-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-88-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-89-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-90-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-93-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-94-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-92-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-95-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3700-97-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-99-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-98-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download
memory/3700-100-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-102-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-101-0x0000000009A40000-0x0000000009A50000-memory.dmp

Filesize
64KB

Download
memory/3700-103-0x0000000007D00000-0x0000000007D10000-memory.dmp

Filesize
64KB

Download