xworm | ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ya.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000AA0000-0x0000000000AB6000-memory.dmp	family_xworm
behavioral1/files/0x000b000000013a88-8.dat	family_xworm
behavioral1/memory/344-10-0x0000000001270000-0x0000000001286000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya.exe

Executes dropped EXE 3 IoCs

pid	Process
344	uwumonster.exe
1888	uwumonster.exe
1184	uwumonster.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	ya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2248	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1E607B1-FFB5-11EE-92B8-52226696DE45} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	ya.exe
Token: SeDebugPrivilege	2196	ya.exe
Token: SeDebugPrivilege	344	uwumonster.exe
Token: SeDebugPrivilege	1888	uwumonster.exe
Token: SeDebugPrivilege	1184	uwumonster.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2180	iexplore.exe
2180	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2248	2196	ya.exe	28
PID 2196 wrote to memory of 2248	2196	ya.exe	28
PID 2196 wrote to memory of 2248	2196	ya.exe	28
PID 2524 wrote to memory of 344	2524	taskeng.exe	31
PID 2524 wrote to memory of 344	2524	taskeng.exe	31
PID 2524 wrote to memory of 344	2524	taskeng.exe	31
PID 2524 wrote to memory of 1888	2524	taskeng.exe	35
PID 2524 wrote to memory of 1888	2524	taskeng.exe	35
PID 2524 wrote to memory of 1888	2524	taskeng.exe	35
PID 2196 wrote to memory of 2180	2196	ya.exe	36
PID 2196 wrote to memory of 2180	2196	ya.exe	36
PID 2196 wrote to memory of 2180	2196	ya.exe	36
PID 2180 wrote to memory of 2696	2180	iexplore.exe	39
PID 2180 wrote to memory of 2696	2180	iexplore.exe	39
PID 2180 wrote to memory of 2696	2180	iexplore.exe	39
PID 2180 wrote to memory of 2696	2180	iexplore.exe	39
PID 2524 wrote to memory of 1184	2524	taskeng.exe	40
PID 2524 wrote to memory of 1184	2524	taskeng.exe	40
PID 2524 wrote to memory of 1184	2524	taskeng.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ya.exe
"C:\Users\Admin\AppData\Local\Temp\ya.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2248
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2696

C:\Windows\system32\taskeng.exe
taskeng.exe {19CB6B9E-5A9B-4363-AB9D-046247D9D532} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:344
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db6edf61c5604177a812c5584f302232

SHA1
128c610e1ce8159aac61b900b5b10e1db02339c1

SHA256
21400c64b110ab171c0d7efcc8aaddaf0e4971b470925341d2a8e7bcdb479ae3

SHA512
58eab13a1049b9638af0d80730e905a8e6d1af956cbe6c7ddebe2efaca400af0d994d038b6e9ae1adb3fdd35b384f1f2eb880b88ad40c898b78cf3119351efac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ef9aa5c6f087640b670d98d61315a3c

SHA1
baa73295dba5bafe0d646fab45f38bb10709b791

SHA256
7a9a1f83e579a99db4fffe07d0696eef5647875b7fe679f00ade5fbc75622bfd

SHA512
af06eb9fcbf110d394a93239cd78e50e926f9bdf0db5ba875eba5f00ac0f7a344393da444ccc0b37b6f7a4dbe2bc96d95259d962f78754081c040f0ae871279a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74c5a3fc0e2f6a9b18a95aa54377ef12

SHA1
b2d2e8eeeb1baf99c8cf771244a463c6422e07ea

SHA256
fa5bd318b9507ca552e7b317424dfa9a07d883e4a80e340042e2769ae4b595b5

SHA512
08a2a5f247a6ec2cbf761615fe8c8e131377e74328f128f7b786ffa41dce56ff686ab7c6669aad9f80cbf06da427203046d1dd279f2c58adbd64cbfc4d0fdca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
001e8eb6070e5d2837d323f35c3530b9

SHA1
09554ff92e0b9f313c95ccb859d96d366ef57b5f

SHA256
d383b2d9f96f5856209106251c1201f7a3b2acf00deabf4a5bd9a189fdf41262

SHA512
667a834c5771e0b392e0908d6ba387eebfd1ddaaadbea64ecf02ff12efa37ad894e343b99322d5b2ecce353f88832735f3a6fab62a0f8dc8cb3e2bcfbd7b66ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ca6a798546a77f19510b1fbd8dda293

SHA1
94de8bca4b1bbe8bdba9deda45720e3bced838fe

SHA256
5d4257a984880584e7795ab0cd8bd130119a9ff586bf72dc251ae1af201e69a8

SHA512
ca68a6a751ba6785b0431d9e818dabcde2b84a0f4311f45c5ff8fab70f840ed782c414a5ac86447eca297d6bc6df51ba18f4b5458367232acccfc94520e06630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b9ef610204e475e7d9aba33d0bd2f2c

SHA1
44c4d55b41549b32f367d9311d7a4eb8b3674d96

SHA256
291240d8475da8f4309319e7b57c31db3a397a0800bb3a5dc4401ef487c4c0ac

SHA512
7fbd582eca9d1eafcb63e11b2a47ed66c09ed853ff48aff8bb20d39ad2295db5fc4b1ebcd571b1c264ed6ad5db99083586d5824623ceedb2c36bc6889c493ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42DD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FB0.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
671B

MD5
5dca6aa127f4a92ed43a82772ce24425

SHA1
636cd4bbab274cd9e105e259198953a11db846d4

SHA256
36fdac3ba8df9f1b536851a9db4d11824ae5cb1c7e96a8abdbbf6e763a645f8d

SHA512
f9eaec4cf0d4a50feefa577d1663d4582bbe17dc423a348d43ee6172016579a0356d094a24d7b97062d7e638e35edef44b0b405763e04ebda3347ca71299a693

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
bc858ce54d76b362be901825a50e8e43

SHA1
e848a1b494263d1a3bbd8ac744fcae2afe96987b

SHA256
f57d3d115cc7d21f112875b729fd86235142d84705d3815e7c4be8e1d067fab9

SHA512
4e0e123dcc751a14ec738b156fddf4f2c02eee59369b9d1c08a957092131466a25fb8470e9191ec13a5f28ef485b452326c71e98948d86db4f80937ebd1515c8

Download Submit
memory/344-13-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/344-10-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/344-11-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1184-227-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1184-242-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-18-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-14-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2196-12-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-0-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/2196-19-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2196-6-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2196-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads