Overview

overview

10

Static

static

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

a ton of y... -.exe

windows7-x64

10

a ton of y... -.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1794s
  • max time network
    1795s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

  • Size

    63KB

  • MD5

    222c2d239f4c8a1d73c736c9cc712807

  • SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

  • SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

  • SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

  • SSDEEP

    1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    uwumonster.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 30 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    "C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4744
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4848
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1536
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1044
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4588
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4016
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4224
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:384
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2016
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:640
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4600
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5072
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4648
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:392
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1712
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4328
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2284
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4632
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4312
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1288
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3044
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4232
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2592
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2108
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4340
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3892
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3616
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4508
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\uwumonster.exe
    Filesize

    63KB

    MD5

    222c2d239f4c8a1d73c736c9cc712807

    SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

    SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

    SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

    Download Submit

  • memory/1448-0-0x00007FFEBE1D3000-0x00007FFEBE1D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1448-1-0x00000000007E0000-0x00000000007F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1448-6-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1448-7-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4848-10-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4848-12-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

    Download